Ben Franklin famously quipped that nothing is certain in this world other than death and taxes. If Franklin were alive and tweeting today, he’d probably add getting hacked to that list.
On Tuesday, the IRS revealed that hackers have compromised the personal information of more than 100,000 American taxpayers. The stolen data includes Social Security numbers, birth dates, tax filing status, and street addresses.
Agency officials said in a statement that, between February and mid-May of this year, hackers repeatedly targeted an application on the IRS’s website called “Get Transcript.” The app required to users to login with personal information to verify their identity. However, the hackers reportedly came armed with external information about the victims that allowed them to beat the security questions. The IRS reports that 200,000 attempts were made, but it appears that only about half were successful.
The Get Transcript feature, which lets taxpayers download their tax returns along with information about tax payments, was disabled last week after IRS officials learned of the breach. The agency said that the incident is being investigated by the Treasury Inspector General for Tax Administration and the IRS Criminal Investigation Unit.
In a statement, IRS officials wrote that all 200,000 taxpayers who had attempts made to access their accounts will be notified by mail. Even though their accounts weren’t compromised, the hackers’ attempts to breach their accounts likely indicates that some of their personal information is out there online and in the possession of identity thieves.
The approximately 100,000 taxpayers whose accounts were compromised will be provided with free credit monitoring. Keeping a watchful eye on their credit reports is job one for people who have information of the sort contained in tax returns compromised. Data points like birth dates and Social Security numbers can be used by identity thieves to open credit cards, take out bank loans, and generally wreck havoc on someone’s financial life.
The type of information hackers absconded from the IRS has the added problem of being especially sticky. In comparison with something like a credit card number, a Social Security number sticks with an individual for life and an identity thief armed that information can do damage for years down the line—well after any free credit monitoring protection offered by the IRS runs out.
Outside of this particular incident, the IRS is already dealing with a new wave of tax-related identity theft. In the scheme, which is rapidly increasing in prevalence, scammers used stolen personal information to file fraudulent tax returns and then collect the refund. The process is often difficult to sort out, even though the IRS has devoted increased resources to combating this type of fraud in recent years.
Earlier this year, an investigation by journalist Brian Krebs pointed out some potential security holes in the IRS’s Get Transcript application that could be used to file fraudulent tax returns:
The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)—i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.
To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.
Former senior IRS official Thomas Wilson told the Daily Dot earlier this year that he advises taxpayers to file their taxes early in order to head off any potential tax identity thieves at the pass.