Data acquired from non-IRS sources enabled access to 100K taxpayer accounts
The IRS explained that unauthorized access to taxpayer information was gained through its “Get Transcript” application.
The IRS announced on Wednesday that criminals used taxpayer-specific data acquired from non-IRS sources – including Social Security information, tax filing statuses, birth dates and street addresses – in order to gain unauthorized access to information on more than 100,000 tax accounts.
The announcement came about a day after reports revealed that the Internal Revenue Service (IRS) had experienced a breach.
In a statement emailed to SCMagazine.com on Wednesday, the IRS explained that the attackers accessed the taxpayer information through its “Get Transcript” application, which has since been temporarily disabled. Other IRS systems are not affected, the statement added.
“These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the statement said.
The breach was identified late last week after the IRS observed unusual activity on its “Get Transcript” application, the statement said, indicating that attempts to access the accounts began in February and continued through the middle of May.
Altogether, the IRS identified 200,000 attempts to access data. All of those taxpayers will be notified of the incident, and the more than 100,000 taxpayers whose “Get Transcript” accounts were accessed will receive free credit monitoring services.
“In addition, the IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward – both right now and in 2016,” the statement said, adding the incident is currently being reviewed by the Treasury Inspector General for Tax Administration and the IRS' Criminal Investigation Unit.
In a statement emailed to SCMagazine.com on Tuesday, Eric Chiu, president and cofounder of HyTrust, said that these types of incidents demonstrate a compounding effect, in that personal information gleaned from one breach can be leveraged in another breach to gain even more information on the same individual.
John Gunn, VP at VASCO Data Security, noted in comments emailed to SCMagazine.com on Tuesday how the breach highlights a change that has occurred in the market for stolen data.
“Social Security numbers are becoming the primary high-value target of hackers because they are worth ten times as much as credit cards and they are protected by a fraction of the security of banking assets,” Gunn said. “This will obviously have to change or we will see an increasing number of victims.”
In comments emailed to SCMagazine.com on Wednesday, Tsion Gonen, VP of Strategy for Identity and Data Protection at Gemalto, said that these types of incidents demonstrate the limitations of using static authentication credentials.
“[This] is why organizations should use strong authentication methods, such as one-time passwords delivered to mobile devices or phones, when users access accounts online,” Gonen said. “Regardless what log-in credentials a hacker may have, they won't get anywhere without the [one-time password].”