May 29, 2015 By Douglas Bonderud 2 min read

The Internal Revenue Service (IRS) isn’t shy when it comes to asking Americans for personal details, financial records and a host of other sensitive data. As reported by U.S. News & World Report, however, the taxman isn’t so great at keeping this data secure: The tax returns of more than 100,000 taxpayers have been stolen. Even worse? The IRS data theft was made possible thanks to an official IRS service called “Get Transcript.” While IRS Commissioner John Koskinen stated that the attack was complex and not the work of amateurs, that’s cold comfort for the victims. How did one of the most complex and secretive agencies in the U.S. get hacked?

How the IRS Data Theft Occurred

At first glance, the Get Transcript service offered by the IRS is a good idea because Americans often require copies of old tax returns in order to secure mortgages or financial aid. Accessing a transcript requires users to provide their name, Social Security number, date of birth, marital status and street address — in other words, data that’s readily available to any malicious actor with a mind to compromise personal security.

But the system also required four correct answers to knowledge-based authentication (KBA) questions, which the IRS site described as questions “that only you can answer.” They might be about former addresses, phone numbers or even home loan information . But as USA TODAY pointed out much of this information is often available for as little as $1 per record on the Deep Web. Robert Hansen, vice president at WhiteHat Security, said that it would have been easy for hackers to automate the submission process and quickly rack up stolen records. Ultimately, 100,000 out of 200,000 attempts to steal data were successful. Morey Haber of BeyondTrust describes this performance as “staggering.”

Rip-off Refunds?

While the IRS doesn’t have an exact number on how much money was handed out in fraudulent refunds, Koskinen claimed the total is less than $50 million. Initial investigations of the attack suggested that the transcript system was targeted from February to mid-May, and the service has temporarily been suspended as a result. The agency also claimed that its main tax-filing computer network has not been hacked, and before the transcript system was breached, over 23 million records were successfully downloaded by legitimate users.

But there’s a larger problem: Once thieves have access to older returns, they can victimize taxpayers again and again, year after year. It’s up to the IRS to sort out which returns are fakes and which are the real deal. Ultimately, the issue boils down to a kind of authentication tipping point. Government agencies want large amounts of personal data to verify users, but once malicious actors obtain enough information to breach a secure system, the IRS and other organizations are more than willing to share every piece of data they’ve ever obtained, forcing users to fight for their own identities.

Soon, more than 200,000 Americans will receive warning notices about the IRS data theft, while others wait for refunds or audit notices. For taxpayers across the country, however, there’s a growing sense that this year, it’s the taxman who has a balance owing.

More from

How I got started: AI security executive

3 min read - Artificial intelligence and machine learning are becoming increasingly crucial to cybersecurity systems. Organizations need professionals with a strong background that mixes AI/ML knowledge with cybersecurity skills, bringing on board people like Nicole Carignan, Vice President of Strategic Cyber AI at Darktrace, who has a unique blend of technical and soft skills. Carignan was originally a dance major but was also working for NASA as a hardware IT engineer, which forged her path into AI and cybersecurity.Where did you go to…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive?

2 min read - After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a human cybersecurity professional’s results for the same tasks would compare.To get some answers, I talked with Shanchieh Yang, Director of Research at the Rochester Institute…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today