Identity thieves obtain 100,000 electronic filing PINs from IRS systems

The IRS has released some details on a data breach that involves personal data of taxpayers who use the IRS’s e-file website. The personal information was first obtained from another, unidentified source(s) – not the IRS – and was then used to log into the IRS website to obtain personal ID numbers used to file tax returns.

Ars Technica reported:

The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday. Identity thieves made the haul by using taxpayers’ personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them. No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.

The full story:

In response to this news, @DFMag received comments from the following security experts.

Mark Bower, global director, product management at HPE Security – Data Security:

“Attackers are very capable of taking data stolen from other sites and using it for secondary attacks to more lucrative systems, as in this case. SSN data is regulated personally identifiable information under many regulations and should be protected.

Modern data-centric security is the technology of choice, delivering an end-to-end encryption approach – protecting data at rest, in use and in motion – thereby minimising any clear data exposure and ensuring attackers get nothing of value when they do penetrate systems. The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.

Cyber criminals today are motivated to steal personal data, as well as enterprise data, intellectual property and employee or customer information. Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash.  As this attack points out, there is a clear need to protect personal information like name, full address, phone number and email address so that criminals can’t use the information to open bogus accounts, sell it for use in more targeted larger-scale spear-phishing, steal identities, or as in this case to obtain tax identification information.”

Lisa Baergen, manager at NuData Security:

“It is disappointing that the IRS’ Get Transcript Tool has once again been used by hackers in the run up to tax season, and their success rate was shocking. Last year the same tool was used to gain information on American citizens in order to submit fraudulent tax returns. This year the same tool has been leveraged to obtain the very Identity Protection PINs that were lauded last year as a way for tax payers to protect their accounts and private information. What did the hackers use in their automated attack? Just the name, address, date of birth and Social Security Number – and thanks to countless breaches, some even at the highest levels of the American government, this information is not hard to find. If the data is out there, it will be used. Why are we making it easier for hackers? So long as key security measures rely on easily obtained, personally identifying information, this will keep happening. We have to devalue that cheap, easy to come by data and approach authentication in an entirely new way or these headlines will keep appearing every spring.”