IRS: Hack Much Wider Than First ThoughtIntruders Might Have Stolen PII from 334,000 Accounts
The Internal Revenue Service says cyber thieves may have accessed as many as 334,000 taxpayer accounts in a breach of its Get Transcript system, far more than the 114,000 accounts it originally estimated in May (see IRS: 100,000 Taxpayer Accounts Breached).
The Get Transcript online service, suspended in May, is aimed at simplifying the process taxpayers use to retrieve their tax records. It enables taxpayers to review their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year. By circumventing Get Transcript's authentication protections, hackers are believed to have gained access to this taxpayer information, including Social Security numbers.
Since its initial investigation, the IRS has conducted a more extensive review, analyzing more than 23 million uses of the system, covering the 2015 filing season, to determine whether other suspicious activities occurred and identify "more questionable attempts" to obtain taxpayer records through the Web application, according to an Aug. 17 agency statement.
The latest review identified an additional 220,000 suspicious records access attempts that cleared the Get Transcript verification process. That review also identified another 170,000 suspicious attempts that failed to clear the automated authentication process.
Challenges in Indentifying Scope
"When a breach of a system like this occurs, it is always a challenge to identify the scope," says Ken Westin, senior security analyst for the IT security firm Tripwire. "The entire database itself was not compromised directly. Instead, the data was harvested from legitimate website forms, making it more difficult to identify which requests were fraudulent and which were legitimate."
The IRS didn't furnish details on how it uncovered the additional taxpayer accounts that were potentially breached. But skilled hackers might have made it more difficult for the tax agency to quickly assess the complete impact of the breach, says a top congressional information security investigator, who has no direct knowledge of the IRS probe.
"One of things that makes it difficult, particularly if the attacker or intruder is sophisticated, is their ability to eliminate and delete evidence of their actions," says Gregory Wilshusen, information security issues director at the Government Accountability Office, the investigative arm of Congress. "That may make it difficult for the agency to track with certainty the extent to which either files have been exfiltrated or corrupted or accessed. In part, it depends upon the skill and ability of the intruder to mask their actions."
In May, according to the IRS, the agency determined unauthorized third parties previously gained sufficient information from a source outside the tax agency before accessing the Get Transcript Web application that enabled the hackers to clear a multi-step authentication process. The process includes answering several personal verification questions.
At the time, the IRS estimated that the hackers might have gained access to 114,000 taxpayer accounts. Attempts to access another 110,000 accounts failed because the hackers could not properly answer the verification questions, according to the IRS' original estimate.
The method the Internal Revenue Service used to authenticate users for accessing the Get Transcript application - known as knowledge-based authentication, or KBA - has been widely panned by cybersecurity experts (see IRS Authentication Method Criticized). The dynamic version of KBA used by the IRS poses personal knowledge questions for users to answer in order to verify their identity, such as the maiden name of the taxpayer's mother. The answers to the questions are based on public and private information the IRS gathers, such as marketing data, credit reports and transaction history.
"Knowledge-based authentication is a tired technology that has been compromised with the ubiquity of personal information available in social media," says Robert Siciliano, online safety expert with Intel Security. "Any entity that's solely relying on knowledge-based authentication is in the dark ages."
Notices Going Out
In the coming days, the IRS says it will mail letters to the taxpayers whose accounts might have been inappropriately accessed. "Given the uncertainty in many of these cases - where a tax return was filed before the Get Transcript access occurred for example - the IRS notices will advise taxpayers that they can disregard the letter if they were actually the ones seeking a copy of their tax return information," the IRS statement says.
As an additional protective step, the IRS says it also will mail letters alerting other taxpayers that although identity thieves failed in efforts to access their records via the Get Transcript system, their information still might be at risk.
The tax agency cautions that some of the pilfered information might be used by fraudsters to file fake tax returns in 2016, and advises taxpayers to take steps to protect themselves through free credit monitoring the IRS is offering to those whose information is believed to have been inappropriately accessed. The IRS is also issuing personal identity numbers to those potentially affected by the breach that can be used to verify the authenticity of next year's tax return.
The IRS says it continues work to strengthen the Get Transcript system before it will be reactivated; it didn't provide a date when it would be resuscitated.