The Internal Revenue Service (IRS) isn’t shy when it comes to asking Americans for personal details, financial records and a host of other sensitive data. As reported by U.S. News & World Report, however, the taxman isn’t so great at keeping this data secure: The tax returns of more than 100,000 taxpayers have been stolen. Even worse? The IRS data theft was made possible thanks to an official IRS service called “Get Transcript.” While IRS Commissioner John Koskinen stated that the attack was complex and not the work of amateurs, that’s cold comfort for the victims. How did one of the most complex and secretive agencies in the U.S. get hacked?

How the IRS Data Theft Occurred

At first glance, the Get Transcript service offered by the IRS is a good idea because Americans often require copies of old tax returns in order to secure mortgages or financial aid. Accessing a transcript requires users to provide their name, Social Security number, date of birth, marital status and street address — in other words, data that’s readily available to any malicious actor with a mind to compromise personal security.

But the system also required four correct answers to knowledge-based authentication (KBA) questions, which the IRS site described as questions “that only you can answer.” They might be about former addresses, phone numbers or even home loan information . But as USA TODAY pointed out much of this information is often available for as little as $1 per record on the Deep Web. Robert Hansen, vice president at WhiteHat Security, said that it would have been easy for hackers to automate the submission process and quickly rack up stolen records. Ultimately, 100,000 out of 200,000 attempts to steal data were successful. Morey Haber of BeyondTrust describes this performance as “staggering.”

Rip-off Refunds?

While the IRS doesn’t have an exact number on how much money was handed out in fraudulent refunds, Koskinen claimed the total is less than $50 million. Initial investigations of the attack suggested that the transcript system was targeted from February to mid-May, and the service has temporarily been suspended as a result. The agency also claimed that its main tax-filing computer network has not been hacked, and before the transcript system was breached, over 23 million records were successfully downloaded by legitimate users.

But there’s a larger problem: Once thieves have access to older returns, they can victimize taxpayers again and again, year after year. It’s up to the IRS to sort out which returns are fakes and which are the real deal. Ultimately, the issue boils down to a kind of authentication tipping point. Government agencies want large amounts of personal data to verify users, but once malicious actors obtain enough information to breach a secure system, the IRS and other organizations are more than willing to share every piece of data they’ve ever obtained, forcing users to fight for their own identities.

Soon, more than 200,000 Americans will receive warning notices about the IRS data theft, while others wait for refunds or audit notices. For taxpayers across the country, however, there’s a growing sense that this year, it’s the taxman who has a balance owing.