The Internal Revenue Service (IRS) is reporting another massive breach. The federal agency pointed to an automated attack on its Electronic Filing PIN application on the IRS.gov Web site. The attack has been stopped but the fallout may continue.
In its review, the IRS identified unauthorized attempts involving about 464,000 unique Social Security numbers. About 101,000 Social Security numbers were used to access E-file PINs.
“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen Social Security numbers,” the agency said in a statement. “An E-file pin is used in some instances to electronically file a tax return.”
What Happens Next?
The good news is no personal taxpayer data was compromised or disclosed in the attack, according to the IRS. Nevertheless, the agency will immediately contact any taxpayers whose personal information was used to access IRS applications. Those notices will come via traditional postal mail.
“The IRS is also protecting their accounts by marking them to protect against tax-related identity theft,” the agency said. The incident, involving an automated bot, occurred last month, and the IRS continues to closely monitor the web application. "This incident is not connected or related to last week’s outage of IRS tax processing systems,” according to the agency.
Finally, the IRS said its cybersecurity experts are still reviewing the attack. IRS is also working with the Treasury Inspector General for Tax Administration, as well as other agencies, and sharing information with its Security Summit state and industry partners.
Where Do We Go From Here?
We asked Travis Smith, senior security research engineer for Tripwire, for his thoughts on the breach. He noted that data is the currency of the 21st century.
“Today's cybercriminals want a slice of your personally identifiable information, such as credit card information, Social Security numbers, or health care data,” Smith said. “The actors who steal data typically will not have the expertise to exploit the data in fraudulent ways, such as re-printing credit cards or stealing someone's identity. Instead they sell their stolen loot on the black market to fraudsters who specialize in such activities.”
Currently, there is no cost effective way to prove what you know (such as your Social Security number) as well as what you are (such as a fingerprint) on a mass consumer scale, Smith said. Until those technologies exist, consumers should be vigilant in monitoring their credit scores as well as monitoring breaches at companies where they do business.
“Organizations should only collect the minimum amount of data necessary to do business,” Smith said. “If private information is core to the business model, necessary steps need to be taken to ensure their customers' data is protected in the same manner a bank would protect their customers' currency."
This Is Not the First Time
This is not the first high profile IRS breach. After the “Get Transcript” Web application hack in May, the agency sent letters to 334,000 taxpayers who used the app letting them know that their accounts had been compromised.
In that incident, the hackers gained enough outside information, including taxpayers' Social Security numbers, dates of birth, and street addresses, before trying to access the IRS site. That allowed the attackers to clear a multi-step authentication process that included several personal verification questions typically only the taxpayers know, according to the IRS.
At the time, the agency said it believed that some of this information may have been gathered so cybercriminals could file fraudulent tax returns during the 2016 filing season. The IRS urged people who received the letters to take steps to protect themselves.