IRS-Affiliated Site for Charities Hit by Data Breach

A site that is used to process tax forms for nonprofit organizations on behalf of the Internal Revenue Service recently suffered a data breach.

The site is operated by the Urban Institute’s National Center for Charitable Statistics, or NCCS. The group announced in February it had recently discovered that an unauthorized party or parties gained access to the Form 990 Online and e-Postcard filing systems for nonprofit organizations.

Visitors to the site, http://epostcard.form990.org/, see a Security Alert, saying, “On February 24, 2015 all users of the e-Postcard system were notified that unauthorized parties gained access to the system and to usernames and passwords. If you registered on the site prior to January 7, 2015 you will be required to change your password if you have not already done so. Please go here for details, answers to Frequently Asked Questions and more information.”

An Accounting Today reader who tried to use the site last week said his organization had not been notified about the breach.

An IRS spokesman directed inquiries about the data breach to the Urban Institute.

Stuart Kantor, a spokesman for the Urban Institute, emailed Accounting Today on Monday, and wrote,  “TIGTA (Treasury Inspector General for Tax Administration) opened a criminal investigation into this attack. Urban was considered a victim of a crime. We are not privy to the TIGTA investigation, so we do not know its status. The incident did not result in any material downtime or interruption of use of the e-Postcard or Form 990 Online systems.”

Separately, the IRS’s Criminal Investigation division announced the creation of a cybercrime unit to deal with data breaches and the growing prevalence of identity theft-related tax fraud (see IRS Creates Cybercrime Unit to Battle Identity Theft).

“We are creating a cybercrimes unit within CI to really focus on some large-scale cybercrime-related cases, specifically focused on identity theft and the impact on tax administration,” said Richard Weber, chief of IRS Criminal Investigation, in a conference call with reporters Monday.

The Urban Institute said an intruder or intruders retrieved email addresses, usernames, passwords, first and last names, IP addresses, phone numbers, addresses and names of nonprofits. The incident affects all users who have filed with the online versions of Forms 990, 990-EZ, and 990-N (e-Postcard). In addition, it affects users of Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York. 

The Urban Institute is encouraging anyone who has used either the Form 990 Online or the e-Postcard systems to change their passwords. If they have used the same username and password combination on other sites or applications, they are encouraged to change them in those instances as well.

Sensitive consumer information, such as Social Security numbers or credit card data, was not accessed in the attack, according to the group. No Social Security numbers or credit cards are stored on the systems, so they were not available to intruders. The Urban Institute said there is no evidence to suggest that the filings themselves were compromised. Copies of the 990 returns, including the e-Postcard, are public documents that are released by the IRS annually.

The Urban Institute said it took immediate steps to secure the systems, alerted the IRS, and is working with law enforcement as they conduct an ongoing investigation.

“We saw early indicators of suspicious activity in the e-Postcard system on January 7, but at that time we did not know what, exactly, had been compromised,” said Kantor. “On January 23, we saw evidence that e-Postcard user accounts were accessed; beginning January 24, users were prompted to change their passwords when they came to the site. It was not until February 4 that the investigation revealed the full scope of the intruders’ access, including that user accounts for both e-Postcard and the Form 990 Online were accessed. We then took the extra step of prompting Form 990 Online users to change their passwords as well and started preparing our official notification process. On February 24, all users of Form 990 Online were notified that unauthorized parties gained access to the system and to usernames and passwords.”

The Urban Institute is home to both the Center on Nonprofits and Philanthropy and the National Center for Charitable Statistics, or NCCS, which works with the IRS, state charity officials, policymakers, and researchers, to collect and analyze data on the nonprofit sector. It also offers assistance and information directly to nonprofits.

In 2000, NCCS began work on electronic filing of state and federal forms and was one of the first organizations to offer electronic filing for nonprofits with the IRS beginning in 2004.

In 2007, NCCS adapted its e-filing technology so that small organizations could complete the “e-Postcards” that Congress mandated in the Pension Protection Act of 1996. NCCS launched the e-Postcard site in early 2008. 

NCCS, the Center on Nonprofits and Philanthropy, and the Urban Institute play no role in evaluating, screening, or assessing nonprofit organizations’ returns, however, according to the Urban Institute.

For reprint and licensing requests for this article, click here.
Tax practice Data security Technology Tax fraud
MORE FROM ACCOUNTING TODAY