Media Moves

Coverage: IRS breach compromises millions of data

May 27, 2015

Posted by Liz Hester

No one is immune from data breaches these days, including the Internal Revenue Service. The latest cyber attack compromised the data for 100,000 U.S. households, throwing into question just how information can be secured these days.

John D. McKinnon and Laura Saunders wrote for The Wall Street Journal that the data thieves used information stolen elsewhere to gain access to accounts:

The Internal Revenue Service said Tuesday that identity thieves used one of its online services to obtain prior-year tax return information for about 100,000 U.S. households, a major breach of the agency charged with safeguarding taxpayers’ privacy.

The agency said cybercrooks used stolen Social Security numbers and other specific data acquired from elsewhere to gain unauthorized access to the tax-agency accounts, beginning in February and continuing through mid-May.

About 104,000 attempts successfully accessed earlier returns, IRS Commissioner John Koskinen said. An additional 100,000 attempts were unsuccessful, the agency said.

The incident, which echoes similar problems earlier this year in some states, highlights the growing risks from cybersecurity breaches to both individuals and the government. It particularly reflects crooks’ ability to carefully aggregate vast amounts of personal data from multiple sources, and plan and execute highly sophisticated schemes.

The USA Today story by Elizabeth Weise said the operation happened over four months:

The Get Transcript application allows users to view their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year. It was used to securely retrieve approximately 23 million taxpayer transcripts last year, the IRS said.

The information the hackers used to get in was probably previously stolen by other hackers who then sold it on the open market, said Rob Roy, chief technology officer of HP Enterprise Security Products.

The hackers who bought it “appear to have hired an army of people to submit over 200,000 queries into the IRS site over a period of four months. Not exactly a quick and easy operation,” he said

“The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the ‘Get Transcript’ application has been shut down temporarily,” the IRS said.

The agency will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed.

Jada F. Smith said in a story for The New York Times that the IRS sent $50 million in refunds before discovering the breach:

Dealing with fraudulent tax claims has been a challenge for the I.R.S. as online crime has grown more sophisticated in recent years. The agency paid $5.8 billion in falsely claimed refunds in 2013.

“Eighty percent of the identity theft we’re dealing with and refund fraud is related to organized crime here and around the world,” Mr. Koskinen said at a news conference on Tuesday. “These are extremely sophisticated criminals with access to a tremendous amount of data.”

The I.R.S. said the attackers exploited data, like email addresses and passwords gleaned from other breaches, to answer basic authentication questions about subjects like birth dates or the names of family members. After recent breaches at the health insurer Anthem and Home Depot, security experts note that users’ personal information is now widely available to hackers, who can buy it from criminal websites.

“This is a wake-up call that breaches have a compounding effect and the stakes are getting higher,” said Eric Chiu, a security expert who is the president of HyTrust, a cloud computing security company. “Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals.”

The consequence, Mr. Chiu said, “could be devastating to consumers — attacks can potentially open new accounts, siphon off funds and ultimately steal identities of victims.”

The Associated Press story by Stephen Ohlemacher said that Congress was already demanding answers:

Congress is already pressing the IRS for information about the breach.

“That the IRS — home to highly sensitive information on every single American and every single company doing business here at home — was vulnerable to this attack is simply unacceptable,” said Sen. Orrin Hatch, R-Utah, chairman of the Senate Finance Committee. “What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”

Koskinen said the agency was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts.

The IRS said they targeted the system from February to mid-May. The service has been temporarily shut down.

Taxpayers sometimes need copies of old tax returns to apply for mortgages or college aid. While the system is shut down, taxpayers can still apply for transcripts by mail.

The IRS said its main computer system, which handles tax filing submissions, remains secure.

While the breach could have involved more people, it’s still a blow to consumer confidence. After a year of high profile retailer and bank breaches, this latest government one is likely going to make people even more nervous about data security.

Subscribe to TBN

Receive updates about new stories in the industry daily or weekly.

Subscribe to TBN

Receive updates about new stories in the industry.