The Internal Revenue Service (IRS) have said the cyberattack, where hackers penetrated their computer databases, has caused more damage than originally anticipated.
Over 300,000 taxpayer accounts have been compromised, and 600,000 breaches attempted on the compromised accounts.
The IRS reported in May that cyber crooks used stolen Social Security numbers and other data acquired elsewhere to try to gain unauthorized access to prior-year tax return information for about 225,000 U.S. households. That included about 114,000 successful attempts and 111,000 unsuccessful ones.
On Monday, the agency said its review showed that an additional 390,000 taxpayers were potentially affected. That includes about 220,000 additional households “where there were instances of possible or potential access” to prior-year return data, the IRS said in a statement. It also includes about 170,000 additional instances of “suspected attempts that failed to clear the authentication processes,” it added.
As before, the IRS said it would move immediately to notify affected taxpayers and take other steps, including offering free credit protection and special identification numbers to reduce instances of tax-refund fraud.
The breaches occurred in an online application called “Get Transcript” that allowed taxpayers to obtain prior-year return information. The system was shut down when the problems came to light.
“The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for `Get Transcript,’ including by enhancing taxpayer-identity authentication protocols,” the agency said.
The incidents echo similar problems earlier this year in some states, and underscore growing risk from cyberattacks for individuals, governments and businesses.
IRS officials believe it also reflects attackers’ ability to carefully aggregate vast amounts of personal data from multiple sources, and plan and execute highly sophisticated schemes.
The IRS previously has said that to access the taxpayer information, hackers had to navigate a multistep authentication process requiring personal knowledge about the taxpayer, including Social Security numbers, date of birth, tax filing status and street address. The process also involved answering personal questions such as “What was your high school mascot?”
Only a few thousand of the taxpayer accounts were the subject of attempted refund fraud. But IRS officials believe hackers in many instances were gathering the information to facilitate fraud during the 2016 tax-filing season.
The agency said that uncertainty still surrounds many of the cases it has identified, so the IRS will advise taxpayers they can disregard the notification letter if they were actually the ones seeking a copy of their return information.