Sign up to our newsletter
The Internal Revenue Service (IRS) in the US has announced that a major data breach it first made public in May is far bigger than previously thought.
It noted in an official press release that more than twice as many US taxpayers have been affected, with cybercriminals gaining access to up to 330,000 accounts.
The attackers also attempted – but failed – to gain access into a further 280,000 accounts through a flaw on the IRS’ Get Transcript online service, which has since been temporarily shut down.
These new figures have come to light following a supplementary investigation into the incident. The IRS explained that on the back of its initial assessment, it carried out a “deeper analysis”, which revealed that more individuals had been compromised.
“As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed,” it stated. “The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to Get Transcript taxpayer account information.”
Furthermore, the IRS said that it will also be mailing letters to other individuals whose personal information may be at risk, irrespective of the fact that the cybercriminals were unsuccessful in accessing these specific accounts.
Responding to news that the breach was markedly more extensive than first thought, Peter Roskam, US representative for Illinois’s sixth congressional district and chairman of the House Ways and Means Oversight Subcommittee that oversees the IRS, said it was “deeply troubling”.
He added: “Taxpayers deserve to know that the IRS is taking every possible step to safeguard their personal information. Today’s revelation that the IRS didn’t fully understand this security breach for months is not confidence-inspiring.
“The Oversight Subcommittee will continue to work to get to the bottom of this breach and work with the IRS to improve cybersecurity systems guarding taxpayers personal data.”
Author Karl Thomas, ESET