IRS website attack nets e-filing credentials for 101,000 taxpayers

Share this…

Breach comes a year after a previous hack compromised 300,000 people. The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday.

Identity thieves made the haul by using taxpayers’ personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them.

No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.

The breach underscores just how easy it is for attackers to dredge up personal information for huge numbers of people. With the recent compromises of the US Office of Personnel Management and health insurers Anthem, Premera, CareFirst, and Excellus—to name just a small sampling—it’s easy to see how a breach on one organization can provide hackers with enough raw data to compromise millions of accounts housed with unrelated organizations.

Last year, the IRS experienced a breach that allowed attackers to obtain personal information for more than 300,000 taxpayers. The hack targeted the IRS’s Get Transcript Web application, which provided online access to previous year’s tax return information. The data lost in last year’s attack provided enough information to theoretically file fraudulent tax returns and credit applications.

When the IRS first disclosed the compromise last May, it estimated that the number of taxpayers was a little more than 100,000. Three months later, it arrived at the 300,000 figure. It wouldn’t be surprising if the 101,000 estimate provided Tuesday is adjusted upward in the weeks or months to come.