May 29, 2015 By Douglas Bonderud 2 min read

The Internal Revenue Service (IRS) isn’t shy when it comes to asking Americans for personal details, financial records and a host of other sensitive data. As reported by U.S. News & World Report, however, the taxman isn’t so great at keeping this data secure: The tax returns of more than 100,000 taxpayers have been stolen. Even worse? The IRS data theft was made possible thanks to an official IRS service called “Get Transcript.” While IRS Commissioner John Koskinen stated that the attack was complex and not the work of amateurs, that’s cold comfort for the victims. How did one of the most complex and secretive agencies in the U.S. get hacked?

How the IRS Data Theft Occurred

At first glance, the Get Transcript service offered by the IRS is a good idea because Americans often require copies of old tax returns in order to secure mortgages or financial aid. Accessing a transcript requires users to provide their name, Social Security number, date of birth, marital status and street address — in other words, data that’s readily available to any malicious actor with a mind to compromise personal security.

But the system also required four correct answers to knowledge-based authentication (KBA) questions, which the IRS site described as questions “that only you can answer.” They might be about former addresses, phone numbers or even home loan information . But as USA TODAY pointed out much of this information is often available for as little as $1 per record on the Deep Web. Robert Hansen, vice president at WhiteHat Security, said that it would have been easy for hackers to automate the submission process and quickly rack up stolen records. Ultimately, 100,000 out of 200,000 attempts to steal data were successful. Morey Haber of BeyondTrust describes this performance as “staggering.”

Rip-off Refunds?

While the IRS doesn’t have an exact number on how much money was handed out in fraudulent refunds, Koskinen claimed the total is less than $50 million. Initial investigations of the attack suggested that the transcript system was targeted from February to mid-May, and the service has temporarily been suspended as a result. The agency also claimed that its main tax-filing computer network has not been hacked, and before the transcript system was breached, over 23 million records were successfully downloaded by legitimate users.

But there’s a larger problem: Once thieves have access to older returns, they can victimize taxpayers again and again, year after year. It’s up to the IRS to sort out which returns are fakes and which are the real deal. Ultimately, the issue boils down to a kind of authentication tipping point. Government agencies want large amounts of personal data to verify users, but once malicious actors obtain enough information to breach a secure system, the IRS and other organizations are more than willing to share every piece of data they’ve ever obtained, forcing users to fight for their own identities.

Soon, more than 200,000 Americans will receive warning notices about the IRS data theft, while others wait for refunds or audit notices. For taxpayers across the country, however, there’s a growing sense that this year, it’s the taxman who has a balance owing.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today