The IRS announced that taxpayer-specific data gathered and mined from non-IRS sources that includes data such as Social Security Information, birth dates, street addresses, general user privacy and tax filing statuses were compromised among more than a 100,000 tax accounts. The announcement itself came a day after multiple reports claimed and revealed the IRS (Internal Revenue Service) to have suffered a data breach.
Third parties, the vulnerability
The attackers tried to exploit and gather tax payer information through the “Get Transcript” application, the IRS explained. This application has been since disabled temporarily, with other systems not affected with any other vulnerabilities.
“These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the statement noted.
Suspicious activity was first noticed early in February, which continued right up until the middle of May, the statement from the IRS added, that ‘unusual activity’ on its “Get Transcript” app showed that several attempts were made in order to access user accounts.
So far, there have been 200,000 attempts to access such data, as identified by the IRS. Those affected by the breach will be notified of the incident and to help appease users, more than a 100,000 taxpayers whose “Get Transcript” accounts were breached, will additionally receive free credit monitoring services, as provided by the IRS.
The incident is currently under review by the IRS’ Criminal Investigation Unit in tandem with the Treasury Inspector General for Tax Administration. “In addition, the IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward – both right now and in 2016,” the statement added.
A changing trend in the kind of data breaches made
John Gunn, Vice President at VASCO Data Security noted that a change has definitively occurred in the stolen data market, as evidenced by the latest breach.
“Social Security numbers are becoming the primary high-value target of hackers because they are worth ten times as much as credit cards and they are protected by a fraction of the security of banking assets,” Gunn said. “This will obviously have to change or we will see an increasing number of victims.”
Experts have pointed out that having strong authentication methods will go a long way in ensuring such data breaches are curbed. One-time passwords for instance, that can be delivered directly to mobile devices at the trigger of a transaction will go a long way in keeping the hackers at bay, as they will be helpless when a fundamental practice such as a one-time password is implemented.