Tax
Cybersecurity Firms Fire Fresh Warnings After US Tax Authority Is Hit By Hackers
The IRS has been hit by hackers, prompting fresh warnings from the cybersecurity sector.
(Updates with fresh comment.)
The US Internal Revenue Service has been hit by hackers. The tax collection authority said it identified and halted an attack in which 101,000 social security numbers were used to access electronic files, prompting security firms to warn about the dangers of such breaches.
“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers. An E-file pin is used in some instances to electronically file a tax return,” the IRS said in a statement. "Based on our review, we identified unauthorised attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN."
The agency said it is immediately telling affected taxpayers by mail that their personal information was used in an attempt to access the IRS application. The IRS is also protecting their accounts by marking them to protect against tax-related identity theft, it said.
The latest attack is part of a trend of hackers targeting private and public sector organisations, including those linked to the wealth management industry; in 2014, JP Morgan suffered a data breach that affected 76 million accounts, although there was no evidence of money being stolen. Cybersecurity has become a major part of the fintech industry and flagged as a worry for business leaders in financial services and other sectors.
The IRS said its cybersecurity experts are carrying out checks and working with other agencies and the treasury inspector general for tax administration.
The IRS added that the incident is not connected or related to last week’s outage of IRS tax processing systems.
“Attackers are very capable of taking data stolen from other sites and using it for secondary attacks to more lucrative systems, as in this case. SSN data is regulated personally identifiable information under many regulations and should be protected,” said Mark Bower, global director, product management at HPE Security - data security.
Lisa Baergen, manager at NuData Security, said of the attack: "It is disappointing that the IRS’ Get Transcript Tool has once again been used by hackers in the run up to tax season, and their success rate was shocking. Last year the same tool was used to gain information on American citizens in order to submit fraudulent tax returns. This year the same tool has been leveraged to obtain the very identity protection PINs that were lauded last year as a way for tax payers to protect their accounts and private information.
"What did the hackers use in their automated attack? Just the name, address, date of birth and social security number – and thanks to countless breaches, some even at the highest levels of the American government, this information is not hard to find. If the data is out there, it will be used. Why are we making it easier for hackers? So long as key security measures rely on easily obtained, personally identifying information, this will keep happening. We have to devalue that cheap, easy to come by data and approach authentication in an entirely new way or these headlines will keep appearing every spring," she added.
Justin Megawarne, lead developer at Qredo, said: ‘This hack is a great example of how data stolen from elsewhere, sometimes innocuous, can be used to compromise a completely different system, and highlights why data security is important even if the data doesn’t appear to be sensitive at first. There are a variety of solutions in the market to the issues surrounding user authentication, or the challenge of ensuring that the person trying to gain access through personal details is who they say they are. A viable alternative solution would be for the IRS to securely deliver hardware authentication devices to consumers, similar to the devices used by many banks. Tax services continue to treat social security numbers (SSNs) and Unique Taxpayer Reference (UTR) numbers as secret material, which they are manifestly not, when they should instead be treated as unique identifiers only, rather than secure identifier."