While the Internal Revenue Service is still dealing with the repercussions of the massive cyberattack that compromised the data from tax returns for roughly 330,000 people, now it is also facing a class action lawsuit.
Two taxpayers who were affected by the data breach earlier this year are now suing the IRS, alleging that the agency was aware of the security vulnerabilities of its site and did nothing to address them, Fortune reported late last week.
Hackers reportedly used a system called “Get Transcript,” which is a place taxpayers can access tax returns from prior years, to override a security checkpoint that includes information about the taxpayer — which included data like Social Security numbers, birthdates, tax status and street addresses.
Using that information, the fraudsters then filed phony tax refunds and were able to obtain $50 million in federal funds, Fortune confirmed.
The lawsuit claims that by not fixing known security problems, the IRS failed to protect the personal information of taxpayers from hackers.
“As custodians of taxpayer information, the IRS has failed in its obligation to protect the personal and sensitive information of hundreds of thousands of taxpayers, their spouses and families,” Richard McCune, a lawyer representing the plaintiffs, said in a statement.
“Furthermore, the breach and theft occurred after repeated warnings over the course of several years regarding the lax computer security system.”
The complaint alleged the data breach was only made possible due to the IRS’ disregard of known security deficits in its data storage system. It also said “the IRS generally knew that its systems would be a target for cybercriminals” and that its cybersecurity procedures were insufficient, yet the agency “deliberately and intentionally chose not to implement appropriate security.”
Just last week the IRS announced the impact of the cyberattack was actually more extensive than the agency originally thought.
Back in May, the IRS announced the data from tax returns for roughly 100,000 households was stolen by cybercriminals who used the IRS’ online services to hack the database. But that number ended up being incorrect.
The IRS confirmed the new estimate includes nearly 220,000 additional households “where there were instances of possible or potential access.”
In a statement, the agency explained there were roughly 170,000 additional instances of “suspected attempts that failed to clear the authentication processes.”