May 29, 2015 By Douglas Bonderud 2 min read

The Internal Revenue Service (IRS) isn’t shy when it comes to asking Americans for personal details, financial records and a host of other sensitive data. As reported by U.S. News & World Report, however, the taxman isn’t so great at keeping this data secure: The tax returns of more than 100,000 taxpayers have been stolen. Even worse? The IRS data theft was made possible thanks to an official IRS service called “Get Transcript.” While IRS Commissioner John Koskinen stated that the attack was complex and not the work of amateurs, that’s cold comfort for the victims. How did one of the most complex and secretive agencies in the U.S. get hacked?

How the IRS Data Theft Occurred

At first glance, the Get Transcript service offered by the IRS is a good idea because Americans often require copies of old tax returns in order to secure mortgages or financial aid. Accessing a transcript requires users to provide their name, Social Security number, date of birth, marital status and street address — in other words, data that’s readily available to any malicious actor with a mind to compromise personal security.

But the system also required four correct answers to knowledge-based authentication (KBA) questions, which the IRS site described as questions “that only you can answer.” They might be about former addresses, phone numbers or even home loan information . But as USA TODAY pointed out much of this information is often available for as little as $1 per record on the Deep Web. Robert Hansen, vice president at WhiteHat Security, said that it would have been easy for hackers to automate the submission process and quickly rack up stolen records. Ultimately, 100,000 out of 200,000 attempts to steal data were successful. Morey Haber of BeyondTrust describes this performance as “staggering.”

Rip-off Refunds?

While the IRS doesn’t have an exact number on how much money was handed out in fraudulent refunds, Koskinen claimed the total is less than $50 million. Initial investigations of the attack suggested that the transcript system was targeted from February to mid-May, and the service has temporarily been suspended as a result. The agency also claimed that its main tax-filing computer network has not been hacked, and before the transcript system was breached, over 23 million records were successfully downloaded by legitimate users.

But there’s a larger problem: Once thieves have access to older returns, they can victimize taxpayers again and again, year after year. It’s up to the IRS to sort out which returns are fakes and which are the real deal. Ultimately, the issue boils down to a kind of authentication tipping point. Government agencies want large amounts of personal data to verify users, but once malicious actors obtain enough information to breach a secure system, the IRS and other organizations are more than willing to share every piece of data they’ve ever obtained, forcing users to fight for their own identities.

Soon, more than 200,000 Americans will receive warning notices about the IRS data theft, while others wait for refunds or audit notices. For taxpayers across the country, however, there’s a growing sense that this year, it’s the taxman who has a balance owing.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today