IRS hack leveraged stolen Social Security numbers

An IRS hack has compromised thousands of tax returns, and the attack was made possible through the use of stolen Social Security numbers.

The IRS announced that it has been hacked again. This time, the agency said it has "identified and halted an automated...

attack upon its Electronic Filing PIN application on IRS.gov."

According to the press release, the IRS hack was perpetrated using stolen Social Security numbers (SSNs) that were obtained "outside the IRS." The attackers then used an automated botnet to generate E-file PINs, and were successful with 101,000 out of 464,000 unique SSNs used.

The IRS claimed "no personal taxpayer data was compromised or disclosed by IRS systems." The IRS also said it is taking steps to notify affected taxpayers by mail about the attack and will be protecting the affected accounts by "marking them to protect against tax-related identity theft."

At the time of this publication, the IRS had not yet responded to requests for clarification on what kind of protection would be offered.

The press release also made it clear that this attack was "not connected or related to last week's outage of IRS tax-processing systems."

This announcement comes on the heels of President Barack Obama revealing plans for an increased federal cybersecurity budget and Cybersecurity National Action Plan. The plan included a proposal for the government "to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the federal government's adoption and use of effective identity proofing and strong multifactor authentication methods, and a systematic review of where the federal government can reduce reliance on Social Security numbers as an identifier of citizens."

While this was the first confirmed IRS hack of 2016, the agency has had breach troubles recently. In May of last year, cybercriminals used an Internet tax returns and filings service, called Get Transcript, to steal unencrypted personal information and tax records from the IRS. Original estimates from that attack claimed about 100,000 accounts were affected, but the final tally was around 330,000.

Although it is unclear where the stolen Social Security numbers used in this latest attack were obtained, Rebecca Herold, CEO of Privacy Professor, said they could have come from almost anywhere.

"SSNs have been stolen through a large number of breaches, of many different types of organizations, over the past 15 plus years," Herold said. "Banks, retailers, employers -- the OPM hack was a gold mine of personal information for all their employees -- utilities, car lots, landlords, etc. Even some apps and social media sites collect SSNs, and for no good reason, though they say to use for identity verification."

"SSNs are used more widely for identification and other purposes than ever before. And yet, that data can be used for so many criminal activities, such as submitting tax returns using other people's personal information."

Next Steps

Learn why the global cost of identity theft could be as high as £3B per year.

Learn how to avoid Social Security number compliance violations with HIPAA.

Learn how predictable Social Security numbers expose citizens to ID theft.

Dig Deeper on Government IT Security Management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

7 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Should the U.S. government stop using the Social Security number for identification? Should everyone stop using it for identification?
Cancel
I just don't think that that's realistic, because there needs to be some kind of unique identifier for a citizen. What do other countries use? Do they have government-issued unique id's too?
Cancel
Yes. And for a bit of emphasis YES!

That nine digit number has been so compromised for so long that it's virtually useless now, far more social than secure. Security has come a very long way since 1936 when a nine-digit number was the height of security. Things have changed - our most important, most secret, most used identifier needs to keep up.
Cancel
YES.. we use to have our SSN on our drivers license here. You just prayed you never lost your wallet or purse. A few years back they forced everyone to use a system generated number and or SSN was removed from the ID. I do not remember if it's on my passport though.. I'll have to take a look.
Cancel
That is just so unfortunate. Every one of us needs to keep an eye on our credit reports. Stolen identities can just wreak havoc on one's life. 
Cancel
Doesn't this happen every tax season? Stolen SS numbers, stolen income tax filings, stolen checks and stolen everything else.... Our social security numbers are so compromised they should be banned from all information requests. So should that incredibly stupid request for "the last four numbers". Okay, that's four, only five more to go....

We all know this now. Some of us far too well and far too personally. The Feds know it, the banks know it, your credit cards know it. So why is it taking so long, so incredibly long for any action...? Our "secure" system is anything but. What are we going to do about it...?
Cancel
No data accessible from the Internet is completely safe. None of it.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close