The United States Internal Revenue Service (IRS) has admitted that cyber-thieves made off with the personal details of 100,000 tax payers after tricking officials into sending them filings from previous years belonging to the victims.
The cyber-criminals used data already harvested illegally on the 100,000 unlucky individuals to commit identify fraud, bypassing security measures which require knowledge of individual Social Security numbers, dates of birth, and street address, according to an IRS statement.
They used this to scam the “Get Transcript” system where taxpayers can have reissued filings and tax returns from previous years.
The online app has now been shutdown temporarily after it was hit between February and mid-May. Internal IRS IT staff apparently flagged an issue last week after spotting an unusually high number of users.
The tax service was at pains to point out that its main computer system handling tax filings was not affected and that the cyber-gang involved must have stolen the personal details use to commit the crime from “non-IRS sources.”
It added:
“In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”
It said that only about half of the 200,000 attempts to access filings from the Get Transcript app from “questionable email domains” were successful.
“It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season,” IRS added.
Criminals could then file their fraudulent returns early, before the genuine taxpayer, and claim refunds back from the IRS. The agency paid out a staggering $5.8bn in fraudulent refunds in 2013, according to AP.
The tax service will now be notifying all 200,000 individuals affected that their personal details have been obtained somehow from sources outside the IRS, and will offer free credit monitoring for the 100,000 hit by the Get Transcript scam.
Ken Westin, senior security analyst at Tripwire, argued that the IRS should use different means to authenticate its users.
“Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information; and this data should not be used as security or authentication checks,” he added.