IRS Confirms It Was a Victim of an Automated Attack
The attack, which occurred in January, targeted the electronic filing PIN application form on the IRS.gov Website. Experts said there are lessons to be learned.
eWeek: The U.S. Internal Revenue Service (IRS) is gearing up for another busy tax season, and it appears that hackers are getting ready, too. On Feb. 9, the IRS confirmed that it was the victim of an automated attack in January that targeted the electronic filing PIN application form on the IRS.gov Website.According to the IRS, attackers made use of personal information, including Social Security numbers, that was stolen from other non-IRS Websites. The attackers then used that information in an attempt to generate fraudulent E-File PIN numbers on IRS.gov. With a PIN number, an attacker could have potentially been able to file a tax return or gain access to other taxpayer information.The IRS investigation has found that 464,000 unique Social Security numbers (SSNs) were used in the attack, with 101,000 being successfully able to access the E-File PIN. The IRS is emphasizing that it has halted the attack and is contacting those who are affected.”No personal taxpayer data was compromised or disclosed by IRS systems,” the agency stated. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application.”
In May 2015, the IRS reported that its Get Transcript service was attacked. Get Transcript enables users to get information about their tax account transactions. As is the case with the new attack against the E-File PIN, the Get Transcript service attack involved user information that was stolen from third-party sites. The success rate for the Get Transcript attackers, however, was higher than it was for the E-File PIN attackers, where 100,000 out of 200,000 hack attempts were successful.
Security experts contacted by eWEEK are not surprised that the IRS is once again reporting an attack against its systems. The fact that the IRS.gov site was attacked with SSNs stolen from other third-party sites is, however, somewhat ironic.”One of the most successful ways hackers steal citizens’ Social Security numbers is through fraudulent phishing emails or phone calls that appear to be from the IRS,” Darren Guccione, CEO and co-founder of Keeper Security, told eWEEK.
Hackers know the public is terrified of being identity-theft victims and exploit this fear well, often by telling someone they’ve been a victim already and asking for their Social Security number, Guccione noted.Lance James, chief scientist at Flashpoint, commented that one of the big concerns he sees with the latest IRS attack is the continued reliance on Social Security numbers. “We need to rethink what a Social Security number means these days when it comes to accessing data,” James told eWEEK. “It should not be the administrator password for a person’s life.”Andy Hayter, security evangelist at G DATA Software, also commented on the risks associated with SSN disclosure. Every bit of an individual’s personally identifiable information that is collected via a breach is one more piece of information that can, and someday will, be used against a person, he said.
“As long as information such as Social Security numbers is used as identification, we will have bad actors trying to collect as much information about individuals to do harm, either through theft or worse,” Hayter told eWEEK.Inga Goddijn, executive vice president at Risk Based Security, noted that taxpayers should be concerned that questionable security practices at organizations completely unrelated to the IRS have the potential of affecting their tax returns.
Though the IRS has stated that no personal taxpayer data was compromised or disclosed in the new attack, JP Bourget, CEO of Syncurity, noted that there is still a real risk.”While maybe the IRS can in the end prevent any bad outcomes for taxpayers, I can imagine a few scenarios where a bad guy attempts to file a tax return for a refund that then holds up a valid refund to someone who is owed a refund, and even depending on that refund,” Bourget told eWEEK. “There’s also the angle of now your account is flagged and the uncertainty of how that affects a taxpayer over time and what hidden costs may arise from that.”One potentially positive outcome that could result from the IRS attack is that lessons learned could help prevent the next attack. Goddijn said that it would be helpful if the IRS can share more detail as to how the agency detected the attack and ideas for preventing these types of enumeration attacks in the future. She added that the U.S. government has been pushing for more threat intelligence sharing and improved security practices for all organizations.”Why not take this opportunity to lead the charge and share more about the attack with the security community,” Goddijn said. “That may help stop the next, similar assault on a high-value target.”
In 2015:
USAToday: Criminals hacked into an Internal Revenue Service website and gained access to approximately 100,000 tax accounts, the agency said Tuesday. Another 100,000 attempts were made but were not successful.
The attack appears to have first begun in February, the agency said.
The hackers got in by taking information about taxpayers they’d acquired from other sources and using it to correctly answer several personal identity verification questions in the IRS’ “Get Transcript” application, the IRS said in a statement.
This allowed them to get information about tax accounts through the application. The information stolen included Social Security information, date of birth and street address.
The Get Transcript application allows users to view their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year. It was used to securely retrieve approximately 23 million taxpayer transcripts last year, the IRS said.
The information the hackers used to get in was probably previously stolen by other hackers who then sold it on the open market, said Rob Roy, chief technology officer of HP Enterprise Security Products.
The hackers who bought it “appear to have hired an army of people to submit over 200,000 queries into the IRS site over a period of four months. Not exactly a quick and easy operation,” he said.
“The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the ‘Get Transcript’ application has been shut down temporarily,” the IRS said.
The agency will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed.
The theft was discovered late last week when IRS staff noticed unusual activity on the application. Further investigation showed that attempts were made beginning in February.
The breach does not involve the main IRS computer system that handles tax filing submissions. “That system remains secure,” the IRS said.
“The IRS historically has been very security, it has to be by virtue of the data it collects. But it just goes to show that even the most secure system can be attacked,” said Larry Ponemon of the Ponemon Institute, a data security research group.