Security Alert for Nonprofits that E-file Forms 990

The IRS has announced that the computer system that handles electronic filing of nonprofit annual IRS information returns—Form 990, 990-EZ, and Form 990-N--has been hacked. Find out what this means and what to do.

The IRS and the Urban Institute’s National Center for Charitable Statistics (NCCS) have announced that the NCCS’s computer system has been hacked. The NCCS handles the electronic filing of the annual IRS information returns filed by nonprofits each year—Form 990, 990-EZ, and Form 990-N. Online filing is optional for Forms 990 and 990-EZ, but is mandatory for Form 990-N (which is filed by small nonprofits and only contains current contact information).

Intruders gained access to information for all registered users on the NCCS website who have filed these forms. Also affected were registered users for IRS Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York. The NCCS says that if you have used these systems, it is likely that some of your information was accessed. This includes usernames, first and last names, email addresses, IP addresses, phone numbers, and passwords. Other publicly available information may have been accessed as well, such as Employer Identification Numbers, and nonprofit names and addresses. The NCCS says that as far as it knows the IRS filings themselves (Form 990, 990-EZ, and state registration and renewal information) were not compromised.

All registered users have already been notified by email by the NCCS, and are urged to change their passwords immediately. However, if you have accessed any of these systems, you should assume your username and password were compromised, regardless of whether you received an email.

To change your password on Form 990 Online, click here.

To change your password for e-Postcard (990-N), click here.

Fortunately, the NCCS says that no credit card numbers or Social Security numbers were obtained by the hackers because these numbers are not included on the IRS forms involved. If you paid the NCCS online filing fees through PayPal, that information was visible only to PayPal and was never in the NCCS system. Thus far, the NCCS has found no evidence that IRS Schedule B (containing donor lists) was accessed.

The NCCS says its filing system is now secure and fully operational. To eliminate future problems, its system has been rebuilt on new secured servers. You may file your Form 990-N e-Postcard at any time, and the 2014 Form 990 and 990 E-Z will be available at the end of March.

Unlike IRS Form 1040 and other individiual tax forms (which the NCCS does not deal with), the information returns filed by nonprofits are public documents that are released by the IRS annually, so this is not as big a deal as it might sound. Nevertheless, it is a black eye for the Urban Institute, a large nonprofit that has been helping the nonprofit community with IRS compliance issues for many years.

The NCCS is the only entity that provides online filing of IRS Form 990-N. However, other companies also provide online filing of Form 990 or 990-EZ. Links to these can be found at:

Talk to a Lawyer

Need help? Start here.

How it Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you

Talk to a Business Law attorney.

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you