IRS hacker attack puts US tax payers at risk

The IRS, the United States government agency for collecting taxes, has admitted that for more than two months malicious hackers targeted its systems, and managed to gain access to information about more than 100,000 tax payers.

As Associated Press reports, the hackers managed to steal tax returns and other tax information filed with the IRS, between February and mid-May of this year.

The hackers are said to have accessed a system called “Get Transcript”, a service which is designed to allow tax payers to review their tax account transactions line-by-line for a specific tax year – something which is apparently useful for those applying for mortgages or help with college fees.

However, according to a statement issued by the IRS, the online criminals managed to waltz through the “Get Transcript” service’s security page, which normally requires users to enter information such as their social security number, date of birth, tax filing status and street address to access the system.

It is feared that up to $50 million worth of fraudulent refunds could have been made so far using information taken from the stole transcripts. However, that figure may rise if the information on old returns is further exploited in the future.

This can happen if a fraudster creates an online account in a victim’s name and claims a tax refund, a threat warned about by security blogger Brian Krebs in March.

However, the agency is at pains to point out that its main computer systems, which handle millions of tax filing submissions every year, remain secure.

“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles. During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”

At the time of writing, the “Get Transcript” online service is temporarily shut down and displaying an alert message, advising tax payers to retrieve their information via a (somewhat slower) snail mail service instead.

IRS Get Transcript

The online Get Transcript service is currently unavailable. Transcripts may still be ordered using the Get Transcript by Mail service. We apologize for any inconvenience.

ESET security researcher Stephen Cobb says the irony of this attack is that the transcripts are used by taxpayers who are trying to cope with tax identity fraud. Says Cobb, “Just last week I met two more victims of tax identity fraud and one piece of advice I gave them was to order their transcript; they can still do that, by now only by mail.”

According to Associated Press, IRS Commissioner John Koskinen already has opinions on the type of people who might be behind the attack:

“We’re confident that these are not amateurs,” said IRS Commissioner John Koskinen.

IRSHmm. Well, he may well be right. But we shouldn’t perhaps take too much solace in the fact that it is organised professional criminals who might now have their hands on the personal information on a large number of tax payers.

What I find interesting about that statement is considering who might benefit from hearing that it’s professionals who accessed private information held by the IRS, not a bunch of kids in their back bedrooms.

Certainly, it’s less embarrassing for the IRS if they are able to paint the attack as highly sophisticated and professional… but it’s not necessarily something to feel pleased about if you’re one of the unfortunate victims.

The news of the IRS hack is already creating political ripples, with the chairman of the Senate Finance Committee issuing a statement pointing the finger of blame at poor computer security:

“That the IRS – home to highly sensitive information on every single American and every single company doing business here at home – was vulnerable to this attack is simply unacceptable. What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”

Cobb says, “Despite new efforts to ramp up tax identity theft investigations, the IRS is suffering from five years of relentless budget cuts imposed by Congress and that does not bode well for the agency’s efforts to defeat determined digital criminals. That said, of all the three letter federal agencies, the IRS is probably the one most feared by scofflaws.”

Once again, security has been found lacking and hackers have managed to grab sensitive information belonging to innocent members of the public. What adds to the nightmare in this case, of course, is that the IRS (and other tax agencies around the world) are not organisations who you can choose *not* to share your personal data with.

We all place our trust in government agencies that they will hold our information securely, and keep it out of the hands of unauthorised parties and criminal actors. We expect such agencies to have sufficient systems in place to authenticate users, and only grant authorised parties access to our data.

It seems that at least 100,000 US tax payers are finding out the hard way that the IRS was not deserving of that trust.

Lets hope that those responsible are apprehended quickly, before too much damage is done.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.