In a report of an audit of 13 IRS approved tax filing firms, Online Trust Alliance found that six of the 13 firms do not provide adequate security against cyberintrusions.

The firms, all members of the IRS’s Free File Alliance, provide free tax preparation and e-filing of approximately 100 million federal tax returns. According to Online Trust Alliance, six of the firms are failing to protect consumers’ privacy and security when providing the services.

On top of that, the IRS confirmed this week that the initial estimate of those affected by the filing of fraudulent tax returns in 2014 and 2015 as a result of the Get Transcript function—originally estimated at approximately 330,000—is now estimated at 724,000—more than double the original number.

And not to be outdone, Krebsonsecurity wrote this week that the IRS’s idea of protecting last year’s tax refund victims from fraud against them this year was to provide the victims with an Identity Protection Pin. According to Krebs, the IRS has mailed 2.7 million of these six digit PINS to prior tax identity theft victims.

But adding insult to the injury, the IRS allows individuals to retrieve their PIN from the IRS website, through the exact same authentication procedures that were used by the identity thieves to file the fraudulent tax returns in the first place. Apparently, the thieves are able to use the same method to retrieve the PIN and file a false tax return and get the refund from the taxpayer for a second year in a row. The old adage of “death and taxes” should be changed to “death, identity theft and taxes.”