IRS Admits Hacking Twice as Bad as Originally Announced


Every government hacking story seems to include subsequent revelations that the problem is at least twice as bad as the authorities originally admitted.

The IRS data breach originally announced last May followed the usual pattern, as the Associated Press reported today that the number of victims has more than doubled, from 114,000 to 334,000:

The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

The personal information was presumably stolen from other sources. The IRS believes the thieves were accessing the IRS website to get even more information about the taxpayers, which could help them claim fraudulent tax refunds in the future.

“As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed,” the IRS said in a statement. “The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to ‘Get Transcript’ taxpayer account information.”

In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns. They were successful in getting information from about 334,000 taxpayers.

The IRS said it is notifying all potential victims and offering free credit monitoring services. The IRS is also offering to enroll potential victims in a program that assigns them a special ID number that they must use to file their tax returns.

The culprits are believed to be “a sophisticated criminal operation based in Russia.”

The Wall Street Journal cites IRS fears that this attack reflects the ability of such advanced hacking operations to “carefully aggregate vast amounts of personal data from multiple sources, and plan and execute highly sophisticated schemes.” In essence, the attackers were able to swipe enough information about the victims from various sources to answer the personal questions protecting access to sensitive personal data, such as “What was your high school mascot?”

They hit 610,000 accounts and successfully penetrated these specialized identification measures about half the time, which is a disturbing success rate. Imagine what a comparably sophisticated operation could do with the gigantic amount of personal data stolen from the Office of Personnel Management!

Fortunately, the IRS says only a few thousand attempts at tax-refund fraud were actually executed, although the WSJ says officials fear the worst may be yet to come: “Hackers in many instances were gathering the information to facilitate fraud during the 2016 tax-filing season.”

“The IRS estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013,” notes the Associated Press.