Breach Notification , Security Operations

Tax Commissioner Expects More IRS Cyberattacks

Latest Attack Targeted System Used to Generate E-Filing PIN
Tax Commissioner Expects More IRS Cyberattacks
Commissioner John Koskinen discusses cyberattacks on IRS systems.

The Internal Revenue Service in January was the victim of yet another hacker attack, and IRS Commissioner John Koskinen acknowledges that more such attacks should be expected.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

"We have to recognize that this is going to be an ongoing problem," Koskinen testified at a Feb. 10 Senate Financial Services Committee hearing, adding that IRS systems are attacked or pinged 1 million times a day. "The caliber of the enemy we are facing is increasingly more sophisticated and more global. We're dealing with organized crime syndicates all around the world."

On Feb. 9, the IRS said it identified and halted a January attack, generated by an automated bot, on its Web application that taxpayers use to produce personal identification numbers for electronic tax filings. Using personal information stolen elsewhere, the attackers used malware to produce electronic filing PINs so they could file for false tax refunds, according to an IRS statement.

Notifying Taxpayers

The IRS says it's notifying affected taxpayers by mail that their personal information was used in the latest attempt to access the IRS application. The agency says it's protecting those taxpayers' accounts by "marking them to protect against tax-related identity theft."

IRS Commissioner John Koskinen discusses watching the movements of cybercriminals.

The IRS says it identified unauthorized attempts involving some 464,000 Social Security numbers, including 101,000 that were used to successfully access e-file PINs. No personal taxpayer information was compromised or disclosed from IRS systems. "They weren't cyber breaches in the sense that our database was accessed," Koskinen says.

In last year's attack on the IRS Get Transcript system, thieves may have accessed as many as 334,000 taxpayer accounts (see IRS Hack Much Wider Than First Thought).

Both attacks represent "sophisticated forms of ID theft," the commissioner says. "The criminals already had all of the personal info of the taxpayer they needed."

Koskinen told the Senate panel the IRS over the past year has toughened its cyberdefenses, in part, through knowledge garnered from an information-sharing program established last year with tax-filing providers and states' taxing authorities. "We have been attempting to move from being solely reactive to pulling together the resources we need and the partnerships we need to try to get ahead of the game, get a head of where the criminals are going," he said.

Seasonal Attacks

Attacks on the IRS and tax-preparation companies are seasonal events. "Such operations are especially common starting in January and February, when many employers and financial institutions, among other entities, distribute tax documents," according to iSight Partners, a cyberthreat analysis company. "Fraudulent tax filings in the U.S. will likely increase over the next months leading to the tax deadline."

A year ago, tax preparation software provider Intuit temporarily suspended electronic filings via its TurboTax offering because the service experienced a dramatic increase in suspicious filings and criminal attempts to leverage stolen identities in order to claim tax refunds.

"It is axiomatic that we and every financial institution in the world are under attack," Koskinen says. "That's because criminals already have a vast amount of personal information and they're trying to figure out how to monetize that information."

Security Controls' Deficiencies

Though the attacks on the IRS' e-file PIN application and Get Transcript did not involve a breach of core IRS databases that store details on taxpayers' personal information and finances, a November audit by the Government Accountability Office took the tax agency to task for deficiencies in internal information security controls, including missing security updates, insufficient audit trails and monitoring for certain key systems and the use of weak passwords (see GAO: Taxpayer Data at Increased Risk).

"Until IRS takes the necessary steps to address these control deficiencies, its financial and taxpayer data will remain at increased risk of inappropriate and undetected use, modification or disclosure," Cheryl Clark, GAO director of financial management and assurance, said in the audit report.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.