The Internal Revenue Service agency announced on Tuesday, that cyber thieves hacked into the agency’s online files and accessed information from 100,000 taxpayer accounts. The criminals used taxpayer’s personal information obtained from other sources. The hackers accessed a system within the IRS website called “Get Transcript” where taxpayers retrieve their tax returns and other filings from previous years. The thieves answered several security questions that required knowledge about the taxpayer, in order to access the information. The Get Transcript application gives viewers the ability to see line-by-line tax return information or wage and income
IRS Director John Koskinen remained quiet on whether investigators believe the criminals are based overseas. The IRS has launched a criminal investigation. The agency’s inspector general is also investigating. Identity thefts have increased in recent years. IRS officials estimates it has paid out $5.8 billion in fraudulent refunds to identity thieves in 2013. The IRS said in a statement that the hack occurred from February through mid-May. The IRS first detected unusual activity last week. Chief Technology Officer of HP, Rob Roy says the information hackers used to get into the system was probably previously stolen information by other hackers.
The agency released a statement announcing the cyberattack. “The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ ‘Get Transcript’ application,” “These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process.”
IRS officials have not determined whether any credit card numbers or any other financial information gained was included in the breach. The Internal Revenue Service says it is investigating the attack and will notify by letter the 200,000 taxpayers who were affected by the breach, they will also pay for credit monitoring for the 100,000 known victims of the data spill.
Congress is pressing the agency for more information on the breach. “That the IRS — home to highly sensitive information on every single American and every single company doing business here at home — was vulnerable to this attack is simply unacceptable,” said Sen. Orrin Hatch, R-Utah, chairman of the Senate Finance Committee. “What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”
The IRS claims its main computer system which handles the tax filing submissions was not affected. “In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the agency said. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.” As identity theft has exploded, the agency has added filters to its computer system to identify suspicious returns. These filters look for anomalies in the information provided by the taxpayer.