IRS hit by hackers – details of 100,000 US taxpayers stolen

27 May 2015

Hackers may have gotten away with over US$50m in a sophisticated cyber attack on the US Internal Revenue Service. IRS image by Andrew F Kazmierski via Shutterstock

Cyber thieves have stolen personal tax information from more than 100,000 taxpayers in the US in an elaborate attack on the IRS.

According to the IRS, data stolen included Social Security information, dates of birth and addresses.

It is feared that up to US$50m worth of fraudulent refunds could have been made so far using the information taken from the stolen transcripts.

It is understood that the thieves accessed a system called ‘Get Transcript’ where taxpayers can get tax returns and other filings from previous years.

“These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the IRS said in a statement.

“The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the ‘Get Transcript’ application has been shut down temporarily. The IRS will provide free credit-monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.”

The IRS said that it noticed unusual activity on the applications last week and shut the ‘Get Transcript’ application down. It will remain disabled until security is sufficiently strengthened.

It is believed that the online criminals could have been accessing the system for at least two months.

“In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address, before accessing IRS systems,” the IRS said.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”

IRS image by Andrew F Kazmierski via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years