The United States Federal Bureau of Investigation is looking into a hack of the U.S. Internal Revenue Service that led to personal data being stolen from at least 100,000 taxpayers’ accounts of the 200,000 that were hit.
The hackers got the data by accessing the Get Transcript application, which lets taxpayers download data they filed with the service, the IRS announced Tuesday.
Twenty-three million taxpayers used the online Get Transcript application in the latest filing season.
Data available through Get Transcript can include account transactions, line-by-line tax return information, and income reported to the IRS. The information can be used to verify income for mortgages and student loans, making it highly suitable for identity theft and fraud.
Taxpayers seeking access to Get Transcript must first submit personal information including their Social Security number, date of birth, filing status and street address. They must then answer out-of- wallet questions based on information only they should know, such as the amount of their car payment or other personal information.
The hackers obtained sensitive personal information from outside the service to get through the security hurdles. However, they did not gain access to the core IRS system or the tax accounts it holds, the IRS said.
However, the personal data they acquired “seems to be exactly the kind of information the IRS has,” Igor Baikalov, chief scientist at Securonix, told the E-Commerce Times.
A Drop in the IRS Data Bucket?
One disturbing possibility for the small number of accounts attacked is that “the hackers specifically identified certain high-value targets they wanted to go after,” Radware Security Solutions Director Ben Desjardins told the E-Commerce Times.
There has been widespread concern that hackers would target certain people, such as high-profile business executives, to breach enterprise networks.
“We live in a world where the Internet has become a database of ‘you,’ and where one data breach can easily feed another,” said Ken Westin, senior security analyst at Tripwire.
The hackers used “components of data that have recently been compromised in health insurance data breaches,” Westin pointed out. Such data therefore should not be used for security or authentication checks.
You Call That Safe?
“I would not consider [protection of the core system] an accomplishment, considering that more than 100,000 taxpayers’ SSNs and sensitive personal data — a virtual treasure trove for identity thieves — was taken,” said Richard Blech, CEO of Secure Channels.
Given that the hackers hit 200,000 or so accounts, the IRS “is apparently lacking security alert systems for being breached, proper authentication using multiple biometric factors, and deep encryption for all customer-sensitive data,” he told the E-Commerce Times.
What the IRS Is Doing Now
The IRS will send affected taxpayers a letter telling them someone tried to access their account or accessed it, as appropriate, and offering them free credit monitoring.
It is also marking accounts of affected taxpayers on its core tax account system to protect them against identity theft going forward.
“Why does the IRS offer enhanced security only to those who have had their information stolen?” asked John Gunn, vice president at Vasco Data Security. “Why not use a simple one-time password solution to keep everyone from joining the growing ranks of identity theft victims?”
OTP solutions have been proven “very effective” by large global banks, he told the E-Commerce Times.
The Dangers of Taking It Easy
The U.S. Government Accountability Office in March warned of security concerns at the IRS.
The service had implemented corrections for 24 of 69 previously reported weaknesses but 10 of those corrections did not fully resolve the weaknesses they addressed.
Further, the IRS had not updated key mainframe policies and procedures to monitor access, increasing the risk that unauthorized access to tax processing systems would not be detected.
Can’t say that I’m surprised!