(Bloomberg) -- Identity thieves stole information on104,000 U.S. taxpayers from the IRS website and usedthe data to file fake tax returns that yielded as much as$50 million in refunds, agency Commissioner John Koskinen said.

The thieves had enough personal information on thetaxpayers to get past security filters on the “Get Transcript”function on the Internal Revenue Service’s website, Koskinen saidTuesday on a conference call with reporters.

That allowed them to gain access to past tax returns, whichcontain the information they would need to file convincing fakereturns.

“We’re confident that these are not amateurs, that theseactually are organized crime syndicates,” Koskinen said.

The problem is another setback for the beleaguered tax agency,which had been encouraging taxpayers to use its online services torelieve the burden on its jammed toll-free telephone lines.

The amount stolen relatively small compared with the broaderwave of tax-refund identity theft the IRS has fought forseveral years. In 2011 alone, the IRS paid out $3.6 billion inpotentially fraudulent refunds, according to its inspectorgeneral.

Still, the breach unusual because the thieves gainedaccess directly through the IRS.

The activity occurred from mid-February through May. The IRSremoved the Get Transcript function from its website last week andstarted a criminal investigation.

“We won’t put it back up until we’re satisfied that we’veimproved the security,” Koskinen said.

School Mascot

The Get Transcript function allowed taxpayers who providedidentifying information to access their past tax returns withoutcalling the IRS or visiting the agency in person. In addition toSocial Security numbers and addresses, they had to provide“out-of-wallet” information, such as their high school mascot orthe type of car they once owned, Koskinen said.

Some of that information is widely available on social media,Koskinen said, adding that investigators are still examiningexactly what happened.

The transcript is particularly valuable for identitythieves trying to steal a tax refund, because they can file afake return that mimics the real taxpayer’s income and deductionsand directs a refund to their own debit card. Such a return,Koskinen said, has a better chance of skating past the agency’scomputerized filters that flag anomalies.

Even with Social Security numbers, he said, “What you don’t haveis enough data to make the false data look likewhat the real return would be.”

‘Devastating Breach’

Senate Finance Committee Chairman Orrin Hatch, a UtahRepublican, said his panel is working with the IRS to determine howthe “devastating breach” could occur.

“That the IRS -- home to highly sensitive information on everysingle American and every single company doing business here athome -- was vulnerable to this attack is simply unacceptable,”Hatch said in a statement. “This agency has been repeatedly warnedby top government watchdogs that its data securitysystems are inadequate against the growing threat of internationalhackers and data thieves.”

The IRS didn’t provide a minimum amount that the identitythieves received in refunds.

The IRS is providing credit-monitoring services to the peopleaffected. Those taxpayers, along with another 100,000 taxpayerswhose data the thieves tried and failed tobreach, will receive letters from the IRS explaining whathappened.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.