The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a “significant” number of the victims already had their information stolen by cyber criminals.

“We actually think that it won’t make any significantly or noticeable difference,” Koskinen told reporters during a briefing on the agency’s data security efforts. “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals.”

ADVERTISEMENT

The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers.

“It’s an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information,” Koskinen said of the breach on Tuesday, in response to a reporter’s question.

The IRS commissioner advised Americans to “assume” their data is already in the hands of criminals and “act accordingly.”

The Equifax breach resulted in hackers maintaining access to Social Security numbers, birth dates and other personal information on millions of Americans for more than a month between May and June. The hack has stirred widespread fears of the potential for Americans to fall victim to identity theft.

The IRS touted its data security efforts ahead of the 2018 tax filing season on Tuesday during a briefing on the agency’s Security Summit, a joint effort with state tax agencies and the private sector launched in 2015.

On Tuesday, Koskinen touted the “tremendous progress” of the initiative to guard against tax-related identity theft, disclosing that the agency has witnessed the number of identity theft-related tax returns decline by two-thirds in two years.

“The progress we’ve made in protecting taxpayers is especially important when you look at how much sensitive personal information has fallen into the hands of criminals recently,” Koskinen told reporters on a press call. “A wide range of private and public-sector organizations have seen their systems compromised. I cannot imagine where the nation’s tax system would be today if we hadn’t started this effort back in 2015.”

“As tax season approaches, the protections provided by the Security Summit initiative should give comfort to taxpayers concerned their tax returns could be threatened by these recent data breaches,” he added.

Still, Koskinen acknowledged that the evolving cyber threat requires the agency to take new steps ahead of the upcoming tax filing season, which includes expanding an existing W-2 verification code pilot program, boosting information sharing with state officials and the private sector, and continuing public awareness campaigns directed toward taxpayers and tax professionals.

The IRS has been acutely aware of growing cyber threats, raising alarm over a 400 percent surge in phishing scams during the 2016 filing season.

“It’s a challenge that we have been worried about ... from the start,” Koskinen said Tuesday, noting that such scams have increasingly targeted tax preparers and companies as the IRS has gotten better at its own defenses.

The IRS itself was the victim of a breach in 2015 that exposed personal information associated with more than 700,000 accounts.

The latest Security Summit meeting will be Koskinen’s last; he concludes his term as IRS commissioner next month.