May 29, 2015 By Douglas Bonderud 2 min read

The Internal Revenue Service (IRS) isn’t shy when it comes to asking Americans for personal details, financial records and a host of other sensitive data. As reported by U.S. News & World Report, however, the taxman isn’t so great at keeping this data secure: The tax returns of more than 100,000 taxpayers have been stolen. Even worse? The IRS data theft was made possible thanks to an official IRS service called “Get Transcript.” While IRS Commissioner John Koskinen stated that the attack was complex and not the work of amateurs, that’s cold comfort for the victims. How did one of the most complex and secretive agencies in the U.S. get hacked?

How the IRS Data Theft Occurred

At first glance, the Get Transcript service offered by the IRS is a good idea because Americans often require copies of old tax returns in order to secure mortgages or financial aid. Accessing a transcript requires users to provide their name, Social Security number, date of birth, marital status and street address — in other words, data that’s readily available to any malicious actor with a mind to compromise personal security.

But the system also required four correct answers to knowledge-based authentication (KBA) questions, which the IRS site described as questions “that only you can answer.” They might be about former addresses, phone numbers or even home loan information . But as USA TODAY pointed out much of this information is often available for as little as $1 per record on the Deep Web. Robert Hansen, vice president at WhiteHat Security, said that it would have been easy for hackers to automate the submission process and quickly rack up stolen records. Ultimately, 100,000 out of 200,000 attempts to steal data were successful. Morey Haber of BeyondTrust describes this performance as “staggering.”

Rip-off Refunds?

While the IRS doesn’t have an exact number on how much money was handed out in fraudulent refunds, Koskinen claimed the total is less than $50 million. Initial investigations of the attack suggested that the transcript system was targeted from February to mid-May, and the service has temporarily been suspended as a result. The agency also claimed that its main tax-filing computer network has not been hacked, and before the transcript system was breached, over 23 million records were successfully downloaded by legitimate users.

But there’s a larger problem: Once thieves have access to older returns, they can victimize taxpayers again and again, year after year. It’s up to the IRS to sort out which returns are fakes and which are the real deal. Ultimately, the issue boils down to a kind of authentication tipping point. Government agencies want large amounts of personal data to verify users, but once malicious actors obtain enough information to breach a secure system, the IRS and other organizations are more than willing to share every piece of data they’ve ever obtained, forcing users to fight for their own identities.

Soon, more than 200,000 Americans will receive warning notices about the IRS data theft, while others wait for refunds or audit notices. For taxpayers across the country, however, there’s a growing sense that this year, it’s the taxman who has a balance owing.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today