The US Internal Revenue Service (IRS) has been hacked—again.
The tax collection agency was the target of a malware attack, it said, that allowed the perpetrators to access the electronic tax-return credentials for 101,000 social security numbers.
The IRS said that using personal data stolen elsewhere outside the IRS, identity thieves used an automated botnet in an attempt to generate E-file PINs for about 464,000 unique stolen social security numbers. Only just about a quarter were used to successfully access an E-file PIN. An E-file PIN is used in some instances to electronically file a tax return.
“While of great concern, this latest report of a cyber intrusion involving the IRS is not surprising in light of the vast inventory of PII (in particular Social Security numbers) in the hands of hackers as a result of countless breaches in the past few years,” said Adam Levin, chairman and founder of IDT911.
Mark Bower, global director of product management for HPE Security-Data Security, said that the attack demonstrates how financially motivated hacks are evolving. “Attackers are very capable of taking data stolen from other sites and using it for secondary attacks to more lucrative systems, as in this case,” said “Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash. As this attack points out, there is a clear need to protect personal information like name, full address, phone number and email address so that criminals can’t use the information to open bogus accounts, sell it for use in more targeted larger-scale spear-phishing, steal identities, or as in this case to obtain tax identification information.”
No personal taxpayer data was compromised or disclosed, the IRS said.
The IRS faced a high-profile hack last year as well. Cyber-fraudsters in that instance also used data harvested from a source outside the IRS—and went on to pass verification checks needed to access the “Get Transcript” system.
This allowed them to be reissued filings and tax returns for previous years on behalf of legit taxpayers—information which could be used to file fraudulent returns early ahead of the 2016 tax year and claim refunds back from the IRS.
Originally the IRS said that 114,000 attempts to clear the Get Transcript authentication process were successful and a further 110,000 attempts failed. But a review months later estimated that an additional 220,000 attempts were made where individuals with taxpayer-specific sensitive data cleared the Get Transcript verification process. The review also identified an additional 170,000 suspected attempts that failed to clear the authentication processes.
Photo © Alex Mirolu