IRS Confirms It Was a Victim of an Automated Attack
The attack, which occurred in January, targeted the electronic filing PIN application form on the IRS.gov Website. Experts said there are lessons to be learned.The U.S. Internal Revenue Service (IRS) is gearing up for another busy tax season, and it appears that hackers are getting ready, too. On Feb. 9, the IRS confirmed that it was the victim of an automated attack in January that targeted the electronic filing PIN application form on the IRS.gov Website. According to the IRS, attackers made use of personal information, including Social Security numbers, that was stolen from other non-IRS Websites. The attackers then used that information in an attempt to generate fraudulent E-File PIN numbers on IRS.gov. With a PIN number, an attacker could have potentially been able to file a tax return or gain access to other taxpayer information. The IRS investigation has found that 464,000 unique Social Security numbers (SSNs) were used in the attack, with 101,000 being successfully able to access the E-File PIN. The IRS is emphasizing that it has halted the attack and is contacting those who are affected. "No personal taxpayer data was compromised or disclosed by IRS systems," the agency stated. "The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application."
In May 2015, the IRS reported that its Get Transcript service was attacked. Get Transcript enables users to get information about their tax account transactions. As is the case with the new attack against the E-File PIN, the Get Transcript service attack involved user information that was stolen from third-party sites. The success rate for the Get Transcript attackers, however, was higher than it was for the E-File PIN attackers, where 100,000 out of 200,000 hack attempts were successful.
"As long as information such as Social Security numbers is used as identification, we will have bad actors trying to collect as much information about individuals to do harm, either through theft or worse," Hayter told eWEEK. Inga Goddijn, executive vice president at Risk Based Security, noted that taxpayers should be concerned that questionable security practices at organizations completely unrelated to the IRS have the potential of affecting their tax returns. Though the IRS has stated that no personal taxpayer data was compromised or disclosed in the new attack, JP Bourget, CEO of Syncurity, noted that there is still a real risk. "While maybe the IRS can in the end prevent any bad outcomes for taxpayers, I can imagine a few scenarios where a bad guy attempts to file a tax return for a refund that then holds up a valid refund to someone who is owed a refund, and even depending on that refund," Bourget told eWEEK. "There's also the angle of now your account is flagged and the uncertainty of how that affects a taxpayer over time and what hidden costs may arise from that." One potentially positive outcome that could result from the IRS attack is that lessons learned could help prevent the next attack. Goddijn said that it would be helpful if the IRS can share more detail as to how the agency detected the attack and ideas for preventing these types of enumeration attacks in the future. She added that the U.S. government has been pushing for more threat intelligence sharing and improved security practices for all organizations. "Why not take this opportunity to lead the charge and share more about the attack with the security community," Goddijn said. "That may help stop the next, similar assault on a high-value target." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.