100,000 IRS Taxpayer Accounts Compromised


The Internal Revenue Service (IRS) has acknowledged that cyber criminals recently accessed information on approximately 100,000 tax accounts, and had access to taxpayers' Social Security numbers, birthdates and street addresses.

According to an IRS statement, the cyber criminals "used taxpayer-specific data acquired from non-IRS sources" to access the IRS' "Get Transcript" service.

That data included Social Security numbers and enough other personal information to clear a multi-step authentication process that included "several personal verification questions that typically are only known by the taxpayer."

The IRS has identified 200,000 attempts to access data, starting in February 2015 and running through mid-May -- all those affected will be notified, and the approximately 100,000 taypayers whose accounts were successfully compromised will be provided with free access to credit monitoring services.

The breaches only affected the Get Transcript service, the IRS noted -- they did not involve the IRS' main computer system.

"The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015," the IRS said in a statement. "It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season."

IRS commissioner John Koskinen told The New York Times that the attackers were clearly not amateurs. "These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with," he said.

Secure Channels CEO and co-founder Richard Blech told eSecurity Planet by email that it's notable the attackers were able to make 200,000 attempts to access taxypayer accounts. "So apparently the IRS is lacking security alert systems for being breached, proper authentication using biometric-multi-factors and deep encryption for all customer sensitive data," he said.

"Had the breached taxpayers’ sensitive information been encrypted, even if the hackers somehow bypassed a strong multi-factor authentication requirement, this would be a non-news event as the hackers would have left with completely useless, non-decryptable data," Blech added.

And Tripwire senior security analyst Ken Westin said the IRS breach clearly demonstrates that we now live in a world in which one data breach easily feeds another. "According to the IRS, the data came ‘from questionable email domains’ and at a high velocity of requests," he said. "The information that was used to bypass the security screen, including Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches. Tax filing status can be identified pretty easily if you know whether the person is married or not."

"Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information; and this data should not be used as security or authentication checks," Westin added.