According to a government report publicly released last week, the IRS failed to adequately respond to a May 2015 cyber-attack on its “Get Transcript” application that potentially compromised at least 621,000 taxpayer accounts. The United States Treasury Inspector General for Tax Administration (“TIGTA”) found that, while the IRS timely disabled the affected application, it failed to identify all potential taxpayers affected by the breach. It was only until after the TIGTA alerted the IRS of the larger scope of the breach that the IRS informed all impacted taxpayers.

The IRS’s own figures continually increased over the course of the last year. Days after the breach, the IRS reported that the affected number was approximately 100,000. That figure doubled in August 2015. It then doubled again in February 2016. In a statement, the agency noted that all affected taxpayers were informed as soon as they were identified.

The TIGTA report also critiqued the IRS for failing to offer credit monitoring services to the roughly 79,000 taxpayers where only an attempted access occurred.  Given that the breach created an increased risk of false tax returns being filed, the TIGTA noted that all targeted accounts should have received the service. In response, the IRS disagreed with this critique given that, for these 79,000 taxpayers, there was no evidence that these individuals had any information stolen. However, the IRS did agree with recommendations in the report regarding the content of its notification letters.

The agency also touted the recent unveiling of a more rigorous e-authentication process for its “Get Transcript” application, which has allowed 47 million transcripts to be ordered since its 2014 launch.