The Internal Revenue Service was dealt a serious setback to its aspirations to make its interactions with taxpayers as simple and straightforward as online banking. The tax agency is notifying more than 100,000 taxpayers that a criminal network stole their personal information from the IRS’ systems and has shut down the public-facing technology application involved in the attack until further notice.
The breach occurred within an IRS Web application called Get Transcript, a service that gave Americans electronic access to their tax returns from prior years. Hackers attempted to download the returns of around 200,000 taxpayers and were successful in at least 104,000 cases, officials said Tuesday.
But agency officials emphasized that the breach was not a cybersecurity incident, per se. The intruders accessed the system in exactly the same way any legitimate taxpayer would: By authenticating themselves with “out-of-wallet” personal data that only a taxpayer is supposed to know. In addition to names, Social Security numbers and addresses, the hackers were armed with additional details such as a taxpayer’s high school mascot, their pet’s name and other pieces of personal and financial information they’d gleaned from other sources.
“This is not a security breach in the usual sense,” John Koskinen, the IRS commissioner, told reporters on a conference call Tuesday afternoon. “This is a modified form of identity theft with criminals who had enough data to impersonate a taxpayer. I don’t want to denigrate social media, but that’s one of the ways they get their information, and they put it into a massive database. Then, when they get our authentication questions, they can just search their own databases. In some cases, the criminals can answer the out-of-wallet questions better than you can.”
The IRS said it will offer identity protection services at government expense for the 104,000 taxpayers whose data already is known to have been exfiltrated from the Get Transcript system. The agency also is sending notification letters to all 200,000 taxpayers whose accounts the attackers attempted to access in order to warn them that criminal organizations have enough personal data about them to at least try to access their IRS accounts.
Long-standing ID theft
The attack appears to have spanned from mid-February through mid-May. The IRS first noticed the problem when its automated systems picked up anomalous amounts of traffic to certain of the agency’s servers. Agency information technology experts first noticed the irregularities last week and initially suspected a targeted denial of service attack.
“But within a couple days, our IT people spotted a number of suspicious domains that had been using our Get Transcript application, and the way they were being used made it clear that these were not actual taxpayers,” Koskinen said. “They were doing it gradually, at a volume that they thought we wouldn’t notice.”
Koskinen declined to provide details of what the IRS knows or suspects about the attackers’ identities, citing an ongoing criminal investigation by the Treasury Inspector General for Tax Administration.
But he said the motivation for the assault on the Get Transcript system appeared to be another manifestation of an identity theft problem the agency has been combating for several years and that is highly-specific to tax fraud as opposed to other forms of identity theft: Criminals file fraudulent tax returns in the name of an unsuspecting taxpayer and claim a refund is due, hoping the IRS mails a check before it notices that anything is amiss.
But the IRS has employed increasingly-sophisticated filters over the past several years that are designed to flag returns that appear to be illegitimate because basic facts on the fraudulent return are different from the actual taxpayer’s prior-year returns. Those filters stopped 3 million returns this year and required manual review by IRS employees.
Koskinen said the entire operation appears to have been geared toward helping criminals fool those filters by mining enough information from taxpayers’ actual, prior year returns in order to make the fake returns appear legitimate.
In some cases, they have probably already succeeded. An IRS review of 2015 tax returns estimated that up to $50 million in improper payments may have been already been made to the syndicate involved in the newly-disclosed attack. But most of the data the criminals gathered was probably intended to be used for refund fraud in future years, Koskinen said. He also cautioned that it’s difficult at this stage to differentiate those estimated payments from various other schemes by other criminals engaged in other types of refund fraud.
23 million used Get Transcript
For now, the IRS has taken its Get Transcript application offline. For the time being, the agency is offering transcripts only by mail while it tries to figure out a more reliable way of authenticating legitimate taxpayers. Koskinen said a more-secure version of the service will be up and running as soon as possible, but could not provide a timeline.
The Web application hackers exploited relied on not just the IRS’ own information about taxpayers to authenticate users, but also leaned on closely-held data from credit bureaus and other sources commonly used in the private financial sector.
“The art form for us now is going to be — in addition to all of that — how we make it difficult for criminals to access our applications in volume but not very difficult for legitimate taxpayers to access their records one at a time,” Koskinen said. “How difficult can we make it to robocall through the system with all of the databases an organized criminal network has access to while at the same time protecting the individual who has a legitimate need to access their information? There’s not an easy answer.”
Koskinen said the IRS makes the protection of taxpayer information its highest priority, but it also needs to balance security against ease of use: If no one is able or willing to use the agency’s online systems, its huge customer service problems — mainly driven by budget cuts — could get a whole lot worse.
“We had 23 million downloads from Get Transcript this year,” he said. “If we had to convert all of those to paper or phone calls or visits to our taxpayer assistance centers, our backlog would be even more horrendous. It’s a challenge for everyone in the digital economy: How do we make those transactions secure? That’s how everyone is used to doing business. That’s exactly the question we’re all struggling with.”