Cybercriminals gained access to more than 100,000 Internal Revenue Service accounts and obtained personal information...
and tax records, the agency reported this week.
An Internet tax returns and filings service dubbed "Get Transcript" was accessed to steal the unencrypted tax filing information. Get Transcript's authentication process required the criminals to present Social Security information, date of birth, tax filing status, and street address for the victims. The personally identifiable information used to steal the tax files, the IRS alleges, was gathered from a third party source; most likely from previous breaches.
The breach lasted from February to mid-May, with half of the approximately 200,000 attempts succeeding. Overall, about 23 million transcripts were downloaded using the service this year. As a response, the IRS has shut down the "Get Transcript" application until security is improved and is offering free credit monitoring for the taxpayers whose accounts were compromised. The IRS also said it will be sending out letters to all of the taxpayers on whose accounts attempts were made. The matter remains under criminal investigation, but the IRS reportedly believes the attacks originated from Russia.
IRS Commissioner John Koskinen told the New York Times that less than 15,000 of the fraudulent returns were processed during this tax season and cost the IRS $50 million. The IRS stopped almost three million suspicious returns. In 2013, falsely claimed refunds cost the IRS $5.8 billion. And this is not the first time the IRS has been breached.
Healthcare breaches and PII security
Security experts say the breach shows the importance of PII security, as a number of recent healthcare industry breaches have exposed millions of patients' PII, which could later be used in other atttacks.
"The information that was used to bypass the security screen [is] all components of data that have recently been compromised in health insurance data breaches," Ken Westin, senior security analyst for Tripwire, Inc. said. "Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information. And this data should not be used as security or authentication checks."
Anthem was breached earlier this year, exposing 80 million customers' personal info. Another 11 million were exposed in the recently disclosed Premera breach. The data used to bypass authentication in this breach was likely a byproduct of a previous breach, and security professionals seem to agree that it was likely information stolen from the health sector.
"Health records now are becoming even more valuable to criminals [than financial data]," said Hormazd Romer, director of product marketing at Accellion, a mobile file sharing firm based in Palo Alto, Calif. "Having your credit card information stolen is inconvenient and will cause you to have to get new credit card information, but you can't change your health records. That information has become very valuable for this very reason."
Criticism of the IRS' handling of the situation, however, focused on the fact the agency's authentication systems were easy to bypass, and this allowed cybercriminals to obtain even more PII. The IRS, critics claim, should have had better authentication systems in place that rely on more than just static health information.
Vanita Pandey, senior director of strategy and product marketing at ThreatMetrix, a security vendor based in San Jose, Calif., explained that the IRS breach would have a lasting effect.
"A data breach or hack such as the one that has targeted the IRS is like an oil spill -- it has an immediate impact on the environment and a lasting impact of 'digital debris,'" Pandey said. "Following such a hack, businesses have to then monitor and look at constant data and use that data to their advantage to ensure stolen identities are not used by cybercriminals."
Only the "Get Transcript" service was affected by this breach, according to the IRS. Core taxpayer accounts or other applications like "Where's My Refund" were not affected. But that doesn't mean that they won't be in the future, according to security experts.
"The underlying weakness in the IRS and other government website portals is they rely on knowledge-based authentication," said Brad Taylor, president and CEO of managed security provider Proficio of Carlsbad, Calif. "The answers to questions like, 'what is your address and SSN#' can be purchased from cyber crime sites or just researched on the Internet. The IRS needs to add more context to their challenge questions and monitor attempted access for suspicious behavior like multiple sign-ups from the same IP address."
For now, the IRS is working on patching its security and minding the vulnerability of victims.
"The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation," according to an official statement on the IRS website. "The IRS will be working aggressively to protect affected taxpayers and strengthen our protocols even further going forward."
Find out what experts said about healthcare data security challenges at RSA Conference 2015