Last year, IRS was hacked twice where personal information of thousands of taxpayers was stolen. Now, according to a statement issued Tuesday by the IRS, cyber criminals have used stolen personal information of more than a hundred thousand U.S. citizens in an attempt to use the electronic tax-filing system for fraudulent purposes. A similar attack took place less than a year ago, in May of 2015, though with harsher consequences.
The first news of the attack came last month when it was conducted, but until the official statement, the extent of damages and the response of the Agency were unclear to the public.
Luckily, IRS officials confirmed that the breach, carried out by an automatic bot, was stopped before any harm was done. Although the bot managed to generate the e-PINs necessary for filing an electronic tax return, the Agency succeeded in stopping further violations of their system.
In the official statement, the IRS confirmed that they “identified unauthorized attempts involving approximately 464,000 unique Social Security Numbers, of which 101,000 were used to successfully access and E-file PIN.”
As a precaution, the IRS will make sure that all the accounts exploited in the breach are closely monitored for any additional security breaches, and will be protected as much as possible from further attempts of tax fraud.
The IRS also denied that the breach is in any way related to the computer network outage reported last week, which prevented the agency from receiving tax returns for a couple of days.
An important issue that transpired from the attack is the clearly faltering system of identification the IRS uses for electronic tax filing. Armen Najarian, an employee of the security vendor ThreatMetrix, notes the underlying importance of working towards a safe way in which organizations will confirm their users identity without impacting customer experience in the process.
Chris Ensey, COO of Dunbar Security Solutions, adds that these incidents reflect an important security threat and a necessary change in individuals’ approached, who need to pay greater attention to both their personal privacy and protection of credit.
Many critics also point to the possible if not the definite connection between this attempt with last year’s attack on hospital records. As Caleb Barlow, Vice President of IBM Security noted in El Reg, “There’s an interesting connection between his targeted attack and the 100+ million healthcare records we saw compromised in 2015. The information obtained in the compromised health care records could be what was needed to try to access these high-value accounts.”
Thus, the implications of the breach have an impact on a number of stakeholders. On the one hand, it is vital that identity theft and its potential dangers are taken as a serious threat by individuals. On the other, it is mandatory that focused action is taken by companies and law enforcement agencies to prevent such occurrences, particularly as the digitally connected world continues to grow and Internet-based practices take over the traditional ones.
