UPMC data breach shows easiness of tax return thefts
Identity thieves target millions of taxpayers through a low-cost, high-return scheme while the Internal Revenue Service races to catch up, security analysts say. That's because the agency processes refunds as soon as taxpayers file forms — paying even criminals who file first.
“They have segued into this IRS thing because it's so easy,” said Patrick Fallon, an assistant special agent in charge at the FBI's Pittsburgh field office. “It's easy money.”
When the IRS began a recent tax fraud investigation, a 40-year-old agent came up with the code name: Operation Dire Straits.
“Get your money for nothing,” as the British rock band of a similar name sang.
FBI agents in Pittsburgh on Wednesday said Nigerian-born suspects used stolen identities and fake returns to steal $10 million from the IRS.
Separately, scammers breached UPMC's data records to file as many as 788 falsified returns, according to the health care giant.
In general, if a criminal files the claim first, the agency won't accept a second claim from the real taxpayer, said Akeia Conner, special agent in charge of criminal investigations for the IRS' Philadelphia office.
IRS workers issued about $4 billion in fraudulent tax refunds in 2012 alone, according to a federal watchdog report.
“You as the taxpayer have to explain to the IRS how the tax return filed in your name wasn't really filed by you. Then you have to pursue them to get your (refund) and go through the whole rigmarole of dealing with the IRS,” said Joseph DeMarco, a former head of the cybercrime unit at the U.S. Attorney's Office in New York.
He said hackers who break into a company database can assemble just enough personal information — Social Security numbers, names and addresses — to produce convincing false returns with inexpensive fake documents.
The IRS system will accept a return for processing as long as nothing else has been filed for that person, though it will reject a filing if a return for the Social Security number has arrived, Conner said.
“The system is not really designed to detect the scheme,” she said.
Many scammers will request fraudulent refunds in the form of gift-style cards offered by the IRS, redeemable at department stores and other retailers. That makes it tougher for investigators to track the money because it is not funneled into an identifiable bank account, DeMarco said.
“Short of abandoning the program wholesale, I think the government needs to impose more rigorous controls,” he said.
An IRS spokeswoman did not comment on the store card program, and it is not clear whether high-profile scams in Western Pennsylvania involved the cards. The U.S. Attorney's Office for Western Pennsylvania declined to address that question, but law enforcement officials confirmed an investigation into the UPMC breach is ongoing.
Personal information for as many as 27,000 workers might have been compromised, UPMC said last week. At least two people received alerts from an identity theft protection company that their personal data showed up in an underground or black market-type forum, said Downtown-based civil attorney Michael Kraemer.
“It gives me more questions. Is this related to the UPMC data breach? If it is, UPMC should be as transparent as possible in letting everyone know what they know about who has the information or if it's been contained,” said Kraemer, who is pursuing class-action litigation against UPMC.
UPMC spokeswoman Gloria Kreps said the employer alerted federal authorities, experts and workers starting in February. She said the hospital system is committed to investigating and prosecuting perpetrators.
“Because this is an active investigation, we cannot discuss details,” Kreps said.
The Government Accountability Office in Washington is examining how the IRS prevents tax return fraud, said James White, a director at the agency. The IRS called the problem one of its biggest challenges and said it's refining fraud identification practices.
It stopped 3 million fake returns in 2011, 5 million in 2012 and more than 6.7 million last year, according to internal reports. Yet scammers ripped off the identities of more than 1.2 million taxpayers in fiscal year 2012 and more than 1.6 million last year, an agency audit shows.
“We're getting better at stopping this before the money goes out the door,” the IRS said in a prepared statement.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- August Wilson Center’s financial woes leave little guys in a lurch
- Police say Bloomfield man leashed dog with Xbox cord, injuring it
- Despite PSU-Central Fla., Dubliners slow to embrace American football
- Mild, mainly cloudy summer has kept smog levels at bay in W.Pa.
- Fire damages church’s roof in Pittsburgh’s Allentown section
- Allegheny County Council’s motto plan expands
- Allegheny County police union cool to park rangers plan
- Carnegie Mellon University picks architect for business school
- Uber and Lyft say they’ll rely on PennDOT inspections for safety
- Arizona Uzi shooting that accidentally killed instructor ‘just stupid’
- Carnegie on-ramp to I-376 to close Friday