UPMC Data Breach Shows Ease of Tax Return Thefts

FBI agents in Pittsburgh on Wednesday said Nigerian-born suspects used stolen identities and fake returns to steal $10 million from the IRS.

by Andrew Conte and Adam Smeltz, McClatchy News Service / April 24, 2014

Identity thieves target millions of taxpayers through a low-cost, high-return scheme while the Internal Revenue Service races to catch up, security analysts say. That's because the agency processes refunds as soon as taxpayers file forms — paying even criminals who file first.

“They have segued into this IRS thing because it's so easy,” said Patrick Fallon, an assistant special agent in charge at the FBI's Pittsburgh field office. “It's easy money.”

When the IRS began a recent tax fraud investigation, a 40-year-old agent came up with the code name: Operation Dire Straits.

“Get your money for nothing,” as the British rock band of a similar name sang.

FBI agents in Pittsburgh on Wednesday said Nigerian-born suspects used stolen identities and fake returns to steal $10 million from the IRS.

Separately, scammers breached UPMC's data records to file as many as 788 falsified returns, according to the health-care giant.

In general, if a criminal files the claim first, the agency won't accept a second claim from the real taxpayer, said Akeia Conner, special agent in charge of criminal investigations for the IRS' Philadelphia office.

IRS workers issued about $4 billion in fraudulent tax refunds in 2012 alone, according to a federal watchdog report.

“You as the taxpayer have to explain to the IRS how the tax return filed in your name wasn't really filed by you. Then you have to pursue them to get your (refund) and go through the whole rigmarole of dealing with the IRS,” said Joseph DeMarco, a former head of the cybercrime unit at the U.S. Attorney's Office in New York.

He said hackers who break into a company database can assemble just enough personal information — Social Security numbers, names and addresses — to produce convincing false returns with inexpensive fake documents.

The IRS system will accept a return for processing as long as nothing else has been filed for that person, though it will reject a filing if a return for the Social Security number has arrived, Conner said.

“The system is not really designed to detect the scheme,” she said.

Many scammers will request fraudulent refunds in the form of gift-style cards offered by the IRS, redeemable at department stores and other retailers. That makes it tougher for investigators to track the money because it is not funneled into an identifiable bank account, DeMarco said.

“Short of abandoning the program wholesale, I think the government needs to impose more rigorous controls,” he said.

An IRS spokeswoman did not comment on the store card program, and it is not clear whether high-profile scams in Western Pennsylvania involved the cards. The U.S. Attorney's Office for Western Pennsylvania declined to address that question, but law enforcement officials confirmed an investigation into the UPMC breach is ongoing.

Personal information for as many as 27,000 workers might have been compromised, UPMC said last week. At least two people received alerts from an identity theft protection company that their personal data showed up in an underground or black market-type forum, said downtown-based civil attorney Michael Kraemer.

“It gives me more questions. Is this related to the UPMC data breach? If it is, UPMC should be as transparent as possible in letting everyone know what they know about who has the information or if it's been contained,” said Kraemer, who is pursuing class-action litigation against UPMC.

UPMC spokeswoman Gloria Kreps said the employer alerted federal authorities, experts and workers starting in February. She said the hospital system is committed to investigating and prosecuting perpetrators.

“Because this is an active investigation, we cannot discuss details,” Kreps said.

The Government Accountability Office in Washington is examining how the IRS prevents tax return fraud, said James White, a director at the agency. The IRS called the problem one of its biggest challenges and said it's refining fraud identification practices.

It stopped 3 million fake returns in 2011, 5 million in 2012 and more than 6.7 million last year, according to internal reports. Yet scammers ripped off the identities of more than 1.2 million taxpayers in fiscal year 2012 and more than 1.6 million last year, an agency audit shows.

“We're getting better at stopping this before the money goes out the door,” the IRS said in a prepared statement.

©2014 The Pittsburgh Tribune-Review (Greensburg, Pa.)