IRS: 100,000 Taxpayer Accounts BreachedStolen PII Helped Hackers Evade Authentication Defenses
Using personal information gained from third-party sources to circumvent authentication protections, hackers breached more than 100,000 accounts of taxpayers who had used the Internal Revenue Service's "Get Transcript" application, which has been temporarily shuttered.
The Get Transcript service allows taxpayers to review their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year. "The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015," the IRS said in a May 26 statement. "It's possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year's tax season. "
The IRS branded the hack as a sophisticated effort. "Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," the IRS said. "The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."
IRS Commissioner John Koskinen, at a press conference, said several years of taxpayers' returns and tax information were exposed. "We're confident these are not amateurs, these actually are organized crime syndicates that not only we but everyone in the financial industry are dealing with," he said.
Breach Didn't Affect Core Systems
The IRS said the breach did not involve its core computer system that processes tax filings.
Tax agency officials did not specifically identify the third-party sources where the PII originally was stolen, although it characterized them as "questionable email domains." But several experts suggested that the hackers could have acquired the initial PII from other breaches. "We live in a world where the Internet has become a database of 'you' and where one data breach can easily feed another," says Ken Westin, senior security analyst for the IT security firm Tripwire. "The information that was used to bypass the security screen ... are all components of data that have recently been compromised in health insurance data breaches."
The IRS said it spotted last week unusual activity occurring on the Get Transcript application, suggesting that unauthorized individuals had access to some accounts on the transcript application. The tax agency said the breach started in February and continued until mid-May.
Attempts Made to Hack 200,000 Accounts
Following an initial review, IRS investigators surmised that hackers attempted to access 200,000 taxpayer accounts through the Get Transcript application and gained access to more than 100,000 accounts. During the tax filing season, the IRS said taxpayers successfully and safely downloaded about 23 million transcripts.
The IRS is offering free credit monitoring services to the 100,000 taxpayers whose accounts were breached. "The IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward - both right now and in 2016," the IRS said.
The breach is being investigated by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation.
'Treasury Trove' of PII
"That the IRS - home to highly sensitive information on every single American and every single company doing business here at home - was vulnerable to this attack is simply unacceptable," says Senate Finance Committee Chairman Orrin Hatch, R-Utah. "What's more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves."
As recently as March, the Government Accountability Office issued an audit showing that IRS taxpayer and financial data remain unnecessarily vulnerable to inappropriate and undetected use, modification and disclosure, although the report made no reference to the Get Transcript application (see GAO Faults IRS Security Processes).
Still, GAO Information Security Issues Director Gregory Wilshusen said in the audit that the IRS's failure to implement proper security exposes taxpayers' PII to fraudsters. "IRS would make an attractive target because it processes a treasure trove of personally identifiable information on American taxpayers," he said.