In May, the Internal Revenue Service (IRS) – the US government agency tasked with collecting taxes – suffered a data breach in which attackers got away with the personal information of an estimated 100,000 taxpayers.
Fast-forward a few months and scratch that number.
In fact, the number of taxpayers’ accounts that might have had personal data siphoned off by attackers is more than triple the original estimate, the IRS said on Monday.
The updated numbers: an additional 220,000 taxpayers can anticipate receiving letters from the IRS in the next few days, plus another 170,000 other households whose personally identifiable information (PII) may be at risk even though the IRS says the identity thieves failed to access its system.
From the IRS’s release:
The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to "Get Transcript" taxpayer account information. As an additional protective step, the IRS will also be mailing letters to approximately 170,000 other households alerting them that their personal information could be at risk even though identity thieves failed in efforts to access the IRS system.
The Get Transcript application to which the IRS refers allowed taxpayers to review details of their income and tax-related information from previous tax years, and it’s where the attackers gained their foothold into the IRS’s system.
In May, the IRS determined that the attackers had sucked up PII from a source outside its own systems before turning to Get Transcript.
With that PII, the crooks could clear a multi-step authentication process that included a number of personal verification questions that should have only be known by the taxpayer.
The IRS shut down Get Transcript the same month.
The agency initially tallied 114,000 total attempts to use Get Transcript with information gleaned from one or more outside sources.
It also spotted 111,000 failed attempts to get past the final verification step, meaning the intruders couldn’t get at account information through Get Transcript.
But a deeper analysis, involving more than 23 million uses of Get Transcript over a wider time period that covered the entire 2015 filing season, has shown that the breach was much bigger than that: the IRS identified an estimated additional 220,000 successful attempts – i.e., the crooks cleared the Get Transcript verification process.
That same review also identified an additional 170,000 suspected attempts that failed to clear the authentication processes.
Uncertainty surrounds much of those numbers, and not everybody who gets a letter about the incident has necessarily had their accounts compromised.
For example, the IRS says that if a tax return was filed before the Get Transcript access occurred, the taxpayer can disregard the letter if they were in fact the party seeking a copy of their tax return information.
But don’t disregard that letter entirely.
Taxpayers should take heed: the IRS thinks that some of the stolen information may be used to file bogus tax returns in the upcoming 2016 filing season.
So if you receive a letter, take advantage of the IRS’s free credit monitoring and IP PIN to verify the authenticity of your tax return next year.
That authentication number, the Identity Protection PIN (IP PIN) is a six-digit number sent to taxpayers by mail.
It’s a form of two-factor authentication (2FA) that makes it a lot tougher for attackers to access taxpayer accounts.
Unfortunately, IP PIN is only available to a subset of voters: those who live in Florida, Georgia or the District of Columbia; people who’ve received a letter inviting them to opt in; or, ironically enough, those who’ve already been victimized by identity theft.
Even though IP PIN hasn’t been rolled out as a prophylactic measure for all US voters, the Get Transcript breach has triggered other security enhancements that will change how tax returns will be handled in 2016.
As the IRS announced in June, the agency is looking at new ways to check someone is who they say they are, such as:
- Looking at how the tax return is transmitted, including the improper and/or repetitive use of IP numbers.
- Reviewing computer device identification data tied to the return’s origin.
- Seeing how long it took to complete the tax return, in order to detect computer mechanized fraud.
- Capturing metadata in the computer transaction that will allow the agency to check for identity theft related fraud.
Those are all good moves that deserve a thumbs up.
But if this were a ballot issue to be voted on by the electorate – that would be us, the US taxpayers, whose tax dollars fund the tax systems and all of the data protections meant to secure our financial safety – the ability for all taxpayers to opt in to IP PIN would probably win by a landslide.
At any rate, those US taxpayers who want to live a more secure digital life (and who read Naked Security!) overwhelmingly support the IP PIN option: when we polled readers, 95.98% said they’d like to have that option.
The IRS says that it “takes the security of taxpayer data extremely seriously” and that it’s “working aggressively to protect affected taxpayers and continue to strengthen our systems.”
Thank you, IRS, for continuing to strengthen your systems.
Now, just give us all the option to use IP PIN, and we will send you a 2FA salute!
Image of files courtesy of Shutterstock.
Tom F
Sounds like Sophos might have a new customer.
Steve
Nah, they’ll just demand a few bazillion more bucks and create a new federal agency to do the security work themselves… but, of course, fail to do so effectively.
Lois DeArmond
So, if I have never set up any kind of online communication with the IRS, I am safe from this?
Lisa Vaas
As far as we know, that’s correct, given that the IRS says the attackers broke in via the online transcript application.
Ray
That is NOT correct! When the IRS set up the online transcript app ANYONE could attempt to login and create an account in your name. If they succeeded, they had 100% access to ALL your tax records! I know because I am one of the 300k that had their tax info stolen. And I had never heard of the online app used until I got the letter from the IRS – 2 MONTHS after they said they would send letters out!!!!!
I called the IRS about this and they would not tell what “personal” info was required to set up and account but said it was something only I would have known. Obviously that’s a bag full of crap since I never set up the account and THEY – the IRS – allowed someone else to do so. The personal info was probably something like – are you a human, are you an US resident, are you still living, did you ever drink water, …