The IRS announced that it has been hacked again. This time, the agency said it has "identified and halted an automated...
attack upon its Electronic Filing PIN application on IRS.gov."
According to the press release, the IRS hack was perpetrated using stolen Social Security numbers (SSNs) that were obtained "outside the IRS." The attackers then used an automated botnet to generate E-file PINs, and were successful with 101,000 out of 464,000 unique SSNs used.
The IRS claimed "no personal taxpayer data was compromised or disclosed by IRS systems." The IRS also said it is taking steps to notify affected taxpayers by mail about the attack and will be protecting the affected accounts by "marking them to protect against tax-related identity theft."
At the time of this publication, the IRS had not yet responded to requests for clarification on what kind of protection would be offered.
The press release also made it clear that this attack was "not connected or related to last week's outage of IRS tax-processing systems."
This announcement comes on the heels of President Barack Obama revealing plans for an increased federal cybersecurity budget and Cybersecurity National Action Plan. The plan included a proposal for the government "to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the federal government's adoption and use of effective identity proofing and strong multifactor authentication methods, and a systematic review of where the federal government can reduce reliance on Social Security numbers as an identifier of citizens."
While this was the first confirmed IRS hack of 2016, the agency has had breach troubles recently. In May of last year, cybercriminals used an Internet tax returns and filings service, called Get Transcript, to steal unencrypted personal information and tax records from the IRS. Original estimates from that attack claimed about 100,000 accounts were affected, but the final tally was around 330,000.
Although it is unclear where the stolen Social Security numbers used in this latest attack were obtained, Rebecca Herold, CEO of Privacy Professor, said they could have come from almost anywhere.
"SSNs have been stolen through a large number of breaches, of many different types of organizations, over the past 15 plus years," Herold said. "Banks, retailers, employers -- the OPM hack was a gold mine of personal information for all their employees -- utilities, car lots, landlords, etc. Even some apps and social media sites collect SSNs, and for no good reason, though they say to use for identity verification."
"SSNs are used more widely for identification and other purposes than ever before. And yet, that data can be used for so many criminal activities, such as submitting tax returns using other people's personal information."