IRS discloses breach, attackers used PII to clear security checks

On Tuesday, the Internal Revenue Service (IRS) disclosed a data breach that affects 100,000 taxpayers. In a statement on the matter, the IRS said that the attackers were able to access information through the “Get Transcript” application, but added that the systems responsible for tax filing submissions remain secure.

The IRS says that the attackers were able to clear “a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems.”

The IRS also says that additional security checks, which include personal identity verification questions typically known only by the taxpayer, were also cleared by the attackers – suggesting they were armed with all the details needed via previous acts of fraud, Phishing, or targeted reconnaissance.

In all, the IRS detected some 200,000 attempts by the attackers to access information via the Get Transcript system, and determined that at least 100,000 individuals had their details exposed.

“On the Get Transcript application, a further review by the IRS identified that these attempts were quite complex in nature and appear to have started in February and ran through mid-May. In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles. During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”

The incident was discovered late last week, and the IRS says that the Get Transcript application has been shutdown and will remain offline until it can be properly secured.

As for notification, the IRS will be sending letters to all accounts that were accessed directly, or where access was attempted. Of the 200,000 letters that will be sent via USPS, 100,000 of them will include an offer for one year of free credit monitoring.

It’s important to note, and this cannot be stressed enough, any contact form the IRS about this matter will only come via the US Postal Service (USPS). The IRS does not use email or telephone to contact taxpayers, especially where security is concerned.

Given the way the data was accessed, it’s clear the attackers were able to use some form of Phishing or social engineering to gain access to the required information. It’s also possible that they leveraged previous breached records or public sources of informaion. Perhaps both options are valid.

Either way, this breach is perfect example of why it’s a bad idea to used commonly available personal information as a security check.

“The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season,” a statement form the IRS explained.