As concerns about stolen data and tax identity fraud continue to mount, it’s clear that this isn’t an issue restricted to Minnesota. Or Utah. Or Connecticut. With that in mind, it’s no surprise that the Federal Bureau of Investigation (FBI) has reportedly opened an investigation into a potential computer data breach related to fraudulent tax returns filed with TurboTax software.
The Wall Street Journal, citing a person close to the investigation, is reporting that FBI investigators are trying to find out who stole personal information – and how it was obtained – used to file a rash of fraudulent state tax returns. Most reports have centered on TurboTax software, with rivals H&R Block HRB 0% and TaxACT claiming that they have not seen the same kinds of suspicious activity.
Intuit INTU -0.42% has consistently maintained that their own investigations indicate that the fraud did not result from a security breach of its systems. Immediately after the first reports of fraud, Intuit brought in Palantir, a third party security expert, to confirm that their own systems were not and had not been at risk. During that time, TurboTax temporarily halted e-filing for all state tax returns. The company resumed all e-filings shortly thereafter.
Today, Intuit issued a statement, denying that the company was at the center of an investigation, saying:
Intuit has not been notified, nor are we aware, that we are the target TGT -0.3% of an FBI investigation. We work with law enforcement agencies, including the FBI as appropriate, on matters such as identity theft.
Intuit is, however, working with IRS and individual state revenue agencies to constantly monitor the situation. States are also sharing information about potentially fraudulent returns, something that was clearly not happening in a concerted manner prior to the latest fraud trend. I reached out to a number of state revenue agencies when rumors first started circulating about increased instances of stolen data and tax fraud; at least half of those I spoke with seemed unaware that anything out of the ordinary was happening at first. By now, however, most states seem to be on board with investigative efforts. The Department of Revenue in my own state of Pennsylvania issued a statementnoting that they are currently “participating in an information share among U.S. taxing agencies and Intuit.” No state, however, is willing to lay the blame solely at the feet of Intuit (though Minnesota came pretty close).
So if it wasn’t a data breach at Intuit’s TurboTax software system, what happened?
Intuit believes that the stolen data was obtained from sources outside of their own systems. Some have gone so far as to point fingers at large scale security failures reported over the past year like those at retail giant Target. Connecticut’s Department of Revenue stopped short of connecting the dots from breach to fraud this week but did warn taxpayers to consider filing early after the Anthem security breach: up to 80 million customers were potentially affected.
One thing is clear: tax fraud isn’t just petty theft, it’s big business. The IRS reported in 2013 that it had identified 220,821 tax returns with $1.86 billion claimed in fraudulent refunds well before the tax filing season even came to a close (TIGTA report downloads as pdf). In fiscal year 2012, the number of IRS criminal investigations into identity theft issues more than tripled, helping protect taxpayers from $20 billion in fraudulent refunds.
And while large scale security breaches can certainly lead to rampant tax fraud, it doesn’t have to be quite so brazen. Identity theft can happen anywhere. It can happen at schools. It can happen at the doctor’s office. In some cases, it comes from inside the government. Even those declared deadaren’t immune.
