Although many people may seek to avoid phone calls from the IRS, this is one you’ll want to take—the IRS is contacting nearly 100,000 people because hackers stole their personal (and sensitive) tax information. In addition, the hackers attempted to pilfer an extra 100,000 tax returns but were unsuccessful, according to the agency. The IRS breach is just the latest bullet point in an endless list of cyber exploits that we have now grown accustomed to.
Officials said this was part of an elaborate scheme that began in February and most likely originated in Russia in order to steal identities and claim fraudulent tax refunds. The entry point for the hackers was an online service run by the IRS called “Get Transcript,” which is used to download previous filings. The hackers used previously-stolen information—probably retrieved from other hacks and then sold in online black markets—to access the IRS website and obtain even more information about the taxpayers, including their Social Security number, date of birth, tax filing status, and street address. As an immediate countermeasure, the IRS shut down the affected website and is notifying affected taxpayers of the breach and providing them with credit-monitoring services.
Thieves, however, can still use the information to claim fraudulent tax refunds in the future and use the old tax returns to complete credible-looking forms, thus helping hackers avoid the IRS defenses. Typically, thieves try to file fake tax returns with made-up information early in the filing season, before the legitimate taxpayers can file their returns—and before employers and financial institutions file wage and tax documents with the IRS. While efforts to combat fraud have increased, too many instances of preventable fraud are slipping through the cracks. Criminals continue to adapt and outpace security measures, and even the filters and additional safeguards added by the agency to its computer system to prevent similar schemes are unable to identify all suspicious returns and stop brute force techniques to break into apps like the “Get Transcript” one.
This latest incident should be a wake-up call for government agencies, regulators, and even Congress to work with private tech firms to end reliance on weak online authentication schemes and commonly-known flaws in the use of text passwords and security questions, and to work with the tax preparation industry to utilize some of their data and tools that can help identify potential fraudsters.
This is not the first time the IRS has been targeted by identity thieves, both foreign and domestic, and most likely won’t be the last time either. The IRS hack, while small in overall numbers, demonstrates the vulnerability of the US tax system and of people’s most sensitive data. It is particularly disturbing since the risk isn’t confined just to online users, but every US resident. Just as the data breaches in 2013 and 2014 lit a fire under Visa and Mastercard to accelerate deployment of more secure point-of-sale systems to counteract credit card vulnerabilities, this incident should create momentum around the need to move beyond passwords and personally identifiable (and guessable) security questions for login access and work with the tax preparation industry to combat fraud, prevent theft from the US treasury, and strengthen the integrity of the US tax system. Clearly, this will require concerted efforts from the government and industry to work together to strengthen the nation’s financial system against similar threats. Until then, you might want to answer the phone if the IRS is calling.
IRS Hacked, 100,000 tax accounts breached | USA Today
IRS Believes Massive Data Theft Originated in Russia | CNN
The IRS Could Have Prevented Its Latest Data Hack. Time For Some TFA | Forbes