IRS exposes ‘Holy Grail of personal information’ online

The IRS accidentally posted tens of thousands of Social Security numbers publicly on the Internet.

Identity theft is big business. Attackers use a variety of tools and techniques to extract tidbits of information that can be used to infiltrate a person’s digital life, or assume their identity. The IRS inadvertently exposed sensitive information that could impact tens of thousands of American taxpayers.

Every detail has value—a name, birth date, address, phone number, email address, etc. The ultimate prize in identity theft, though—the master key that unlocks almost every other aspect of an online identity—is the Social Security number. The Internal Revenue Service unwittingly exposed tens of thousands of Social Security numbers on the Internet, putting those affected at extreme risk of identity theft.

Eduard Goodman, Chief Privacy Officer for IDentity Theft 911, explained, “The information exposed is really the Holy Grail of personal information, as it is the key piece of information needed for new account creation, filing taxes, etc.”

The beauty of a Social Security number from a cyber criminal’s perspective is that it doesn’t expire, and you can’t just cancel the account or change your password. It’s possible to request a new SSN, but it’s a complicated process that is reserved only for extreme cases. For most people, the SSN will remain the same for life, so once an attacker has it life can get very messy.

One significant risk resulting from a breach such as this is the potential for cyber crooks to file fraudulent tax returns and apply for refunds using the exposed Social Security numbers. The IRS will process the first return that comes through for a given Social Security number, and reject subsequent tax returns using the same SSN. The legitimate owner of the SSN can most likely work everything out eventually, but it will be a hassle, and will delay any expected refund payments.

Goodman recommends that people who believe their SSN has been exposed or compromised contact the credit bureaus and place a fraud alert on their accounts. A more secure option is to pay for a security file freeze that absolutely prevents any new debts or accounts being associated with that Social Security number.

“While the cost for doing this with all three bureaus is slightly less than $50 total, it is money well spent and locks down a credit file until the consumer decides to unlock it. (A process that could take a couple of days, so plan ahead before you go car shopping, finance furniture or refinance a home for instance),” says Goodman.

Identity Theft 911 suggests that anyone who believes their identity has been stolen should file a police report, and contact the three major credit bureaus to notify them. It’s also important to be vigilant about monitoring bank and credit card account statements for suspicious or fraudulent activity.

Businesses, CSOs, and IT admins should take note of the mistake the IRS made, and ensure processes and tools are in place to prevent a similar breach. Employees, customers, and suppliers entrust sensitive information with the companies they work with, and the company has an obligation to secure and protect it.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.