Skip to content

How Hackers Breached the IRS and Stole $50 Million

2 min readBy: Tom VanAntwerp

The IRS announced this week that hackers successfully stole sensitive information from over 100,000 taxpayers using the IRS’ online Get Transcript service. Identity thieves used this data to file fraudulent taxA tax is a mandatory payment or charge collected by local, state, and national governments from individuals or businesses to cover the costs of general government services, goods, and activities. returns, stealing an estimated $50 million in tax refunds. In their statement, the IRS says they discovered the fraudulent activity last week. However, evidence of identity theft via the Get Transcript service has been available since at least March. And while the scale of the breach suggests sophisticated planning by organized cybercriminals, the techniques used to steal these transcripts are surprisingly simple.

The online Get Transcript service employed knowledge-based authentication of users. The idea is this: the IRS asks questions that only the individual in question could answer, and verifies their identity if they answer correctly. The service asked for Social Security Number, filing status, address, and other various questions using data from Equifax credit reports. For example, it might ask about previous addresses or credit card application dates.

Nicholas Weaver, a researcher at the University of California, Berkeley, previously tried to access his own transcripts without resorting to personal knowledge. Using the real estate website Zillow and personal information site Spokeo, he was able to successfully find answers to the personal questions that only he should have known.

Cybercriminals who specialize in stealing and processing this personal data en masse were able to answer these identifying questions at scale. Much of the information used by the IRS to verify identity is either publicly available or for sale to underground cybercriminals. Hackers can buy access to stolen consumer or financial data, and then write a program to plug answers into the questions asked by the IRS. Once hackers successfully claim an identity, they can use the information from previous years’ tax returns to file new, fraudulent returns and steal tax refundA tax refund is a reimbursement to taxpayers who have overpaid their taxes, often due to having employers withhold too much from paychecks. The U.S. Treasury estimates that nearly three-fourths of taxpayers are over-withheld, resulting in a tax refund for millions. Overpaying taxes can be viewed as an interest-free loan to the government. On the other hand, approximately one-fifth of taxpayers underwithhold; this can occur if a person works multiple jobs and does not appropriately adjust their W-4 to account for additional income, or if spousal income is not appropriately accounted for on W-4s. s.

The IRS has disabled the online Get Transcript service while they investigate the data breach. They plan to notify all affected taxpayers, including those whose information the identity thieves failed to access. They also are offering a year of credit monitoring to those affected.

If you’re one of the unfortunate victims of identity theft, don’t expect a quick resolution. An auditA tax audit is when the Internal Revenue Service (IRS) conducts a formal investigation of financial information to verify an individual or corporation has accurately reported and paid their taxes. Selection can be at random, or due to unusual deductions or income reported on a tax return. by the Treasury Inspector General for Tax Administration found that the IRS resolved identity theft victims’ cases after an average of 278 days.