More than 100,000 taxpayers affected in IRS breach

Cyber criminals gained access to information from more than 100,000 taxpayer accounts by hacking into an online service the Internal Revenue Service uses to grant Americans access to previous tax returns, the agency said Tuesday, May 26.

Among data obtained included several years’ worth of returns and other tax information on file with the agency, Commissioner John Koskinen said in a press conference.

From February to mid-May, the thieves hacked into the “Get Transcript” system, which requires users to know a taxpayer’s Social Security number, date of birth, address, and tax filing status. They attempted to gain access about 200,000 times using questionable email domains. Nearly half of the attempts were successful, clearing hurdles requiring authentication.

The breach is the latest in a string of similar incidents that have affected a number of businesses, including Target and JPMorgan Chase. This particular incident, however, differs in that it did not involve a computer hack.

“This is a wake-up call that breaches have a compounding effect and the stakes are getting higher,” said Eric Chiu, a security expert who is president of cloud computing security company HyTrust, according to The New York Times. “Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals.”

Koskinen said the attackers must have already possessed a considerable amount of information about the taxpayers to access the system the way it was designed to be used. Koskinen called the breach a “modified form” of identity theft that has plagued the agency in recent years and added that the information was used to submit fraudulent tax returns.

Fewer than 15,000 fake returns were processed this tax season, leaving the agency responsible for paying about $50 million, officials said.

In 2013, falsely claimed refunds cost the IRS $5.8 billion.

Koskinen said he could not comment on who the hackers might be and that a criminal investigation is ongoing.

“We’re confident these are not amateurs. These are actually organized crime syndicates that not only we but everyone in the financial industry are dealing with,” he said.

The IRS received criticism from security experts after it revealed the hack, saying it could have provided additional context to authentication questions or by using a multifactor system that sends a second password to users on their mobile phones.

Republicans have also criticized the IRS, which has encountered attacks since disclosure that the agency purposely targeted political organizations for additional scrutiny of their tax-exempt applications, The New York Times reported.

“That the I.R.S. – home to highly sensitive information on every single American and every single company doing business here at home – was vulnerable to this attack is simply unacceptable,” said Sen. Orrin Hatch (R-Utah), chairman of the Finance Committee. “What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”

While critics have voiced their concerns, Koskinen said the IRS stopped nearly three million suspicious returns this year.

Of the victims whose data was compromised, some have gone on to sue Intuit, claiming poor security measures are partly responsible for a rise in tax fraud this year and that the company could have done more to guard their personal information.

Following the breach, Intuit implemented extra security measures, including a multi-step authentication process that requires users to enter a code when they access their accounts from a new computer or mobile device.

The IRS is notifying taxpayers who were affected by the hack and providing them free credit monitoring.

“As always, the IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocol,” the agency said.

(With reports from Reuters, The New York Times, The Washington Post and USA Today)