IRS: Crooks Stole Data on 100K Taxpayers Via ‘Get Transcript’ Feature
The Internal Revenue Service (IRS) in an official statement issued today said that identity thieves have illegally obtained tax information for more than 100,000 taxpayers with attempts made on approximately 100,000 additional taxpayer accounts that were not successful. The IRS told that a small portion of the 23 million transcripts were legally downloaded, which means it is a 50 percent success rate for the thieves.
According to the IRS statement, a beginning review of that activity revealed “access was gained to more than 100,000 accounts through the Get Transcript application.” The Get Transcript service has been temporarily shut down. John Koskinen, IRS Commissioner delivered the news at a hurriedly arranged press conference this afternoon in order to alert the taxpayers of the breach.
When the IRS revealed more information, it became easy to perceive that the user data was not acquired because of a direct hack of government systems. The weak authentication used by the IRS to protect entry to taxpayer data is likely to be the reason for this hack. The identity thieves were able to obtain taxpayer records using stolen personal identifying information like person’s Social Security Number, date of birth, tax filing status and street address, which maybe possibly pulled from online financial fraud marketplaces.
The Get Transcript application was apparently hacked by financial thieves between February and mid-May. Get Transcript feature of the IRS site allows taxpayers to download tax payment transaction data and tax return. It is believed that the Get Transcript application may have been linked to the fraudulent filing of tax returns and transfer of tax refunds.
All that was needed to get a transcript online to start the process was an active email address and a Social Security number. Once the e-mail address was established as legal, the system would then ask a number of questions about personal, financial, and tax information—including date of birth, tax filing status, and address—before providing the transcript for download. This sort of authentication, called knowledge-based authentication, is highly susceptible to fraud. It’s based on the details that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces.
An IRS spokesperson noted in the agency’s statement that today’s disclosed data breach did not find a way to any of the IRS’ core security systems. “The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.”
However, this information may be of little comfort to the approximately 100,000 taxpayers whose data is now in the hands of the financial fraud marketplace. This is also applicable to the other 100,000 or so individuals whose SSNs were used in an effort to access their tax records.
The IRS will be “sending a letter to all of the approximately 200,000 taxpayers whose accounts had attempted unauthorized accesses, notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application,” the agency said in its statement.
The IRS statement noted that those whose records were accessed will be given free credit monitoring “to ensure this information isn’t being used through other financial avenues.” In addition, the affected taxpayers’ records will be observed for fraud for the current and 2016 tax reporting periods. According to the official statement the IRS “is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward—both right now and in 2016.”