So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no.
There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data stolen it’s important to note.
It seems the biggest leak was of tax returns and the illegal access is to bolster the stolen identities of folks who had already been compromised by some other means.
The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year.
The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS’s online “Get Transcript” feature, which allows taxpayers to access past tax records.
To say that the IRS itself was “hacked” – as some journos squawked today – is more than a stretch. The criminals did not compromise any IRS servers or exploit technical glitches in the Get Transcript feature. Rather, they gathered an obscene amount of personal data from their victims via other means, and then typed that data to the IRS site.
“Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems,” the IRS told The Reg in an emailed statement.
“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”
According to the IRS, the data theft operation ran from February through mid-May, when the activity was detected. In total, the IRS said 200,000 attempts to access personal information were made from “questionable” email accounts, about half of which resulted in successfully accessing the Get Transcript function.
The one thing that surprises me is that so many bogus requests were not detected earlier, as I’m pretty sure a lot of questions were answered wrongly and retried possibly multiple times.
Perhaps the attackers were very smart though and used different IP addresses, different browser agents, different submission timings etc. And not noticing 200,000 illicit requests from “questionable” e-mail addresses – that seems kinda lackadaisical.
It is not known how the personal information used to fill out the transcript requests was gathered, or from where.
“The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation,” the IRS said. “The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.”
The IRS has shut down the Get Transcript portal until further notice. The tax authority will also provide free credit monitoring services to those who were affected by the illegal access – and given the nature of the data required for access, they’ll need it.
When your Social Security Number, date of birth, marital state, home address, and enough personal background to answer a handful of verification questions has been taken by an identity thief, you probably have other things to worry about than whether they view your 1040EZ.
Again, we would advise those not affected not to panic over any sensationalist “IRS has been hacked!” headlines currently floating around news and social media. This was not a breach of any IRS systems, but rather what appears to be the result of some very extensive phishing/data harvesting from 100,000 unlucky individuals.
So yah to summarise it’s not a hack, but it does expose some weakness in the IRS Get Transcript service and due to that, they’ve disabled it at the moment.
But as the article mentions, if the attackers already had that much information on you (SSN, address, personal information) – them getting access to your historical tax returns is the least of your worries.
Source: The Register