How Hackers Breached the IRS and Stole $50 Million
May 28, 2015
The IRS announced this week that hackers successfully stole sensitive information from over 100,000 taxpayers using the IRS' online Get Transcript service. Identity thieves used this data to file fraudulent tax returns, stealing an estimated $50 million in tax refunds. In their statement, the IRS says they discovered the fraudulent activity last week. However, evidence of identity theft via the Get Transcript service has been available since at least March. And while the scale of the breach suggests sophisticated planning by organized cybercriminals, the techniques used to steal these transcripts are surprisingly simple.
The online Get Transcript service employed knowledge-based authentication of users. The idea is this: the IRS asks questions that only the individual in question could answer, and verifies their identity if they answer correctly. The service asked for Social Security Number, filing status, address, and other various questions using data from Equifax credit reports. For example, it might ask about previous addresses or credit card application dates.
Nicholas Weaver, a researcher at the University of California, Berkeley, previously tried to access his own transcripts without resorting to personal knowledge. Using the real estate website Zillow and personal information site Spokeo, he was able to successfully find answers to the personal questions that only he should have known.
Cybercriminals who specialize in stealing and processing this personal data en masse were able to answer these identifying questions at scale. Much of the information used by the IRS to verify identity is either publicly available or for sale to underground cybercriminals. Hackers can buy access to stolen consumer or financial data, and then write a program to plug answers into the questions asked by the IRS. Once hackers successfully claim an identity, they can use the information from previous years' tax returns to file new, fraudulent returns and steal tax refunds.
The IRS has disabled the online Get Transcript service while they investigate the data breach. They plan to notify all affected taxpayers, including those whose information the identity thieves failed to access. They also are offering a year of credit monitoring to those affected.
If you're one of the unfortunate victims of identity theft, don't expect a quick resolution. An audit by the Treasury Inspector General for Tax Administration found that the IRS resolved identity theft victims' cases after an average of 278 days.