IRS Online Security Breach Affects 100k Taxpayers

The IRS has revealed that cyber attackers managed to trick its system in handing over more than 100,000 access codes for user accounts. Fortunately the breach was discovered before any sensitive data was compromised.

The attack followed a data theft from a source outside of the IRS. The agency hasn't revealed what that was, but it appears to have involved a stolen list that included social security numbers.

The attackers then set an automated program, or "bot" to work. Using stolen social security numbers (sourced from outside the IRS), the bot was used to generate E-file PINs from the stolen social security numbers. It appears the idea was for the hackers to effectively set up electronic access for taxpayers who didn't yet use online filing, then access account details at a later time. A similar scam is used to redeem gift cards from retail outlets.

464,000 Social Security Numbers Used

The bot carried out repeated attempts to create PIN codes, and it seems this sheer numbers game paid off. According to the IRS, the attackers made attempts to get a PIN code on 464,000 different accounts and successfully received the code for 101,000 of these accounts.

Though the IRS hasn't revealed the details of exactly how and when it discovered the attack, it insists that "No personal taxpayer data was compromised or disclosed by IRS systems." (Source: irs.gov)

The agency's statement implies that the only access the attackers gained was the ability to file an electronic tax return for the taxpayers in question. That's at least not as bad as a 2015 attack, where criminals are believed to have gained the ability to read past returns and filings.

IRS To Contact Those Affected

The IRS says it will contact all affected taxpayers by postal mail to inform them of the breach. It's also going to flag up the relevant accounts to give them added protection against any future identity theft attempts.

One theory is that the hackers were attempting to carry out an audacious scam by not only filing bogus returns, but then claiming and collecting tax refunds. Another possibility is that they were hoping to access tax returns and put together complete files of personal details of taxpayers such as names, addresses, dates of birth and social security numbers. These could then be sold on the black market for would-be identity thieves. (Source: cnbc.com)

What's Your Opinion?

Do you file your taxes online? Do you trust the IRS and other public bodies to keep your details safe? Is there a correct balance between making online filing convenient and avoiding the risk of having too much personal detail stored in one place?