The Internal Revenue Service has confirmed a data breach of 100,000 taxpayers' account information. According to a statement posted on the IRS website, criminals allegedly used sensitive information stolen from non-IRS sources to gain unauthorized access to taxpayers' accounts. To access the site, the criminals made use of stolen Social Security Numbers, dates of birth, and "out of wallet" information, which includes data such as high school mascots and spouses' names, to fraudulent fill out the IRS' "Get Transcript" application, a feature that taxpayers can use to view their tax statements as well as tax return information.
Persons involved with the investigation believe that the criminals accessed the personal information from a variety of sites, including social media. Ken Westin, Senior Security Analyst at Tripwire, believes that the information might have also been sold on the criminal underground following a recent spate of high-profile breaches, including Anthem and CareFirst.
"We live in a world where the Internet has become a database of ‘you’ and where one data breach can easily feed another," explains Westin. "The information that was used to bypass the ‘security’ screen is trivial. Social Security numbers, dates of birth, and street addresses are all types of data that have recently been compromised in a few of the large scale health insurance data breaches. Tax filing status can be identified pretty easily if you know whether the person is married or not."
In all, approximately 200,000 attempts using the "Get Transcript" application were made from questionable email domains. According to the IRS, approximately half of these were successful in breaking through the multi-authentication barriers on taxpayers' accounts.
"The fact that the data came 'from questionable email domains' and at a high velocity of requests but yet had a 50% success rate indicates that basic threat intelligence was likely not in place to identify potentially malicious remote IP addresses or from proxies," states Westin. "Neither were other checks such as device fingerprinting that could block a higher percentage of malicious attempts. The data required to make these requests should not be considered a 'security' or 'authentication' check, as the data required is easily accessible with the high number of large scale data breaches, which have essentially made our personal information including Social Security number public information."
The IRS has confirmed that its main tax filing submission system as well as other databases have not been affected by the data breach. Representatives of the IRS have begun sending notification letters to the 200,000 taxpayers whose accounts the criminals tried to compromise. The IRS will also offer free credit monitoring services to those whose accounts were successfully breached. As of this writing, the IRS' "Get Transcript" application remains unavailable following the incident.