According to recent reports and a letter from the IRS to Congress, the US Internal Revenue Service (IRS) accidentally posted sensitive taxpayer data to its website. This means that those affected could potentially be at risk for further threats, such as identity fraud. The problem with the data leak stemmed from the machine-readable Form 990-T, used by tax-exempt entities like government entities and retirement accounts to report income tax on income made by investments. The IRS is required to publicly disclose this information for 501(c)(3) organizations, however, it was reported that similar information was released for organizations that fall outside of this category not subject to public disclosure.
The data leaked includes individual business names and business contact information, impacting 120,000 individuals in total. This surpasses the 100,000 figure of impacted individuals which requires notification to lawmakers. The IRS confirmed that the data did not include Social Security numbers, individual income information, or detailed financial data that could impact credit. The repository was reportedly left publicly available for roughly a year as the coding error went undetected.