Criminals hacked into an Internal Revenue Service website and gained access to approximately 100,000 tax accounts, the agency said Tuesday. Another 100,000 attempts were made but were not successful.
The attack appears to have first begun in February, the agency said.
The hackers got in by taking information about taxpayers they’d acquired from other sources and using it to correctly answer several personal identity verification questions in the IRS’ “Get Transcript” application, the IRS said in a statement.
This allowed them to get information about tax accounts through the application. The information stolen included Social Security information, date of birth and street address.
The Get Transcript application allows users to view their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year. It was used to securely retrieve approximately 23 million taxpayer transcripts last year, the IRS said.
The information the hackers used to get in was probably previously stolen by other hackers who then sold it on the open market, said Rob Roy, chief technology officer ofHP Enterprise Security Products.
The hackers who bought it “appear to have hired an army of people to submit over 200,000 queries into the IRS site over a period of four months. Not exactly a quick and easy operation,” he said.
“The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the ‘Get Transcript’ application has been shut down temporarily,” the IRS said.
The agency will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed.
The theft was discovered late last week when IRS staff noticed unusual activity on the application. Further investigation showed that attempts were made beginning in February.
The breach does not involve the main IRS computer system that handles tax filing submissions. “That system remains secure,” the IRS said.
“The IRS historically has been very security, it has to be by virtue of the data it collects. But it just goes to show that even the most secure system can be attacked,” said Larry Ponemon of the Ponemon Institute, a data security research group.
Source: USA Today