The IRS breach is worse than we thought. In the wake of the “Get Transcript” Web application hack discovered in May, the government agency is sending letters to about 220,000 more taxpayers whose information may have been accessed. An attempt to steal the information of an additional 170,000 taxpayers was unsuccessful.
The IRS originally reported that criminals used taxpayer-specific data acquired from outside sources to gain unauthorized access to 100,000 tax accounts through its Get Transcript app. This data included Social Security numbers, dates of birth, and street addresses.
The hackers gained enough outside information before trying to access the IRS site, allowing them to clear a multi-step authentication process that included several personal verification questions typically only the taxpayer knows, according to the IRS.
The agency said it believed that some of this information may have been gathered for potentially filing fraudulent tax returns during the upcoming 2016 filing season and urged people who received the letters to take steps to protect themselves.
Will Tax Returns Suffer?
John Gunn, vice president at digital security firm VASCO Data Security, offered a chilling thought. He told us if you are hoping to get your tax refund before the hackers get it, you'd better file early next year.
“Government agencies and other organizations must abandon outdated methods of user identification and security,” Gunn said. “Criminal hacking organizations are employing remarkably innovative and sophisticated methods of attack. If we don’t get serious and employ equally advanced methods of authentication and fraud detection, the hackers will continue to win.”
Jeff Hill, channel manager at security software firm Stealthbits, agreed. He told us one of the reasons authentication-based attacks are so effective -- and so popular among hackers -- is that they’re very difficult to identify.
“Once legitimate credentials are obtained, it’s nearly impossible to distinguish between the good guys and the bad guys, especially if the attackers are patient and disciplined,” Hill said.
“Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach’s damage months later,” he added. “Even now, how confident is the IRS they fully understand the extent of the attack completely, or should we expect yet another shoe to drop in the coming weeks?”
What Is Obama Doing?
That’s a good question and it’s anyone’s guess. What most security researchers are sure of is this: The impact of this breach will move well into 2016 and beyond, with President Barack Obama attempting to counter these concerns with a 72 percent increase in cybersecurity funding for the IRS. That’s what Stewart Draper, director of Insider Threat at security analytics firm Securonix, told us.
“Much of the damage has already been done. Critical personal data -- such as Social Security numbers, which cannot be changed like your debit card -- are already in the hands of potential attackers,” Draper said. “Investing this money in the right areas of security will be critical for the success of the IRS. There cannot be many people left who do not have free credit protection and this is fast becoming an unacceptable recourse to victims of security breaches of this magnitude.”