IRS Data Breach: What to Do Right Now

UPDATED Aug. 18, 2015: The Internal Revenue Service now says that as many as 330,000 taxpayer accounts, not 110,000 as previously thought, were breached during attacks stretching back to November 2014. About 200,000 other accounts were attacked, but not compromised.

The agency will send notifications via U.S. mail to all holders of affected accounts, and will provide free credit monitoring to taxpayers whose accounts were breached. Our advice to those affected, who now number more than 500,000, remains unchanged.

Please be aware that even those individuals and couples whose taxpayer accounts were NOT compromised have nevertheless already had their identities stolen and need to take the steps described below.

If you find out you're among the 200,000 American taxpayers hit by the data breach disclosed yesterday (May 26) by the Internal Revenue Service, then you are in serious trouble. This is much worse than a typical data breach. Your identity is actively being used for fraud, and you need to take action as soon as you get a notice from the IRS.

First, some background: The thieves who hit the IRS between February and mid-May of this year didn't steal personal information from the tax agency. They already had it. That information was harvested in unspecified earlier data breaches — possibly the massive breaches at health insurers Anthem and Premera disclosed a few months ago, which contained full names, addresses, dates of birth and Social Security numbers of more than 90 million individuals.

MORE: What to Do After a Data Breach

With such information, the IRS "hackers" didn't have to hack the IRS website. Instead, they walked right in the front door, verifying stolen identities in half of roughly 200,000 attempts. (The other half were stymied by "security" questions, the answers to some of which could have been found on Facebook or Zillow.) Once in, they downloaded transcripts of previous tax filings, which were used to file fraudulent 2014 tax returns that paid out more than $50 million in refunds to crooks.

"These are not amateurs," IRS Commissioner John Koskinen told The New York Times. "These actually are organized crime syndicates that not only we, but everybody in the financial industry, are dealing with."

The IRS will mail out letters this week to all 200,000 individuals whose personal information was used. The 100,000 people whose transcripts were fraudulently obtained will be offered free credit monitoring for an unspecified period.

There's no harm in signing up for the free monitoring, but it won't be enough. If you get a letter from the IRS about this incident, whether or not a transcript was obtained, then your personally identifiable information is already being exploited by criminals. You're not at risk of identity theft; your identity has already been stolen.

Here's what you need to do.

1. Request a fraud alert, also known as a credit alert, on your file with one of the three main credit-reporting agencies. The agency you contact will inform the other two, you'll get a credit report from each, and it will cost you nothing.

For the next 90 days, you'll be informed whenever a credit report is run on you (a routine occurrence) and whenever someone tries to open an account in your name (not routine). You can renew the fraud alert every 90 days as many times as you like.

To contact Equifax, call 1-888-766-0008 or go to this Web page. To contact Experian, call 1-888-397-3742 or go here. For TransUnion, the phone number is 1-800-680-7289 and the link is here.

2. Sign up with a good credit-monitoring service, also known as an identity-protection service. "Protection" is a misleading term — what these services do is alert you if something is wrong, and, sometimes, help you resolve issues. Unfortunately, the services you get for free if you're the victim of a large-scale data breach are among the least impressive we've evaluated, doing the bare minimum to keep you informed of possible fraudulent activity.

Instead, it's worth paying for a solid service, such as LifeLock, IdentityForce and Identity Guard, which we found to be much more useful and thorough. Each offers different tiers of pricing and coverage; it can add up to a lot, but we recommend signing up for at least six months if you're part of the IRS 200,000.

3. File a police report of identity theft with your local police precinct. This may seem pointless, but it's extremely important because it will establish a legal basis with which you can dispute any future fraudulent activity, and may make you eligible for a free credit freeze (see below).

4. File a formal complaint of identity theft with the Federal Trade Commission, which you can do here, for the same reasons.

5. Consider instituting a credit freeze, also known as a security freeze, with the credit-reporting agencies. You may have to pay a small fee to each agency to both begin and end a credit freeze, although in most states, the fee is waived for persons who have filed police reports of identity theft.

A credit freeze will stop anyone from opening an account in your name without your explicit approval. The downside is that it won't let anyone run a credit report on you, either — which may snarl things up if you're trying to buy a house or a car or even to change your cellphone company. Still, because your identity has already been stolen and anything could happen with your data, the inconvenience may be worth the peace of mind.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.