IRS hack much worse than first feared

18 Aug 2015

The US internal revenue service (IRS) has revealed that the hack into its computer database last May was almost three times as bad as first feared, with more than 300,000 accounts potentially compromised.

Back in May more than 100,000 taxpayers’ details were stolen through the IRS’ ‘Get Transcript’ app , which has since been removed,  with around the same figure targeted but not compromised.

However, by casting its eye as far back as last November, the agency now thinks more than 600,000 accounts were targeted, just less than half of which were potentially accessed.

The agency is mailing those affected with advice on what the next stages are, with additional services like free credit protection and identity PINs to help stop something like this happening again.

The embarrassment caused to the IRS, though, will be tough to recover from.

“The IRS would have much preferred to get all the bad news out in one shot,” said Gavin Reid, VP of threat intelligence at Lancope.

“This new revelation shows that the IRS still is working it out – learning the details of the attack. The fact they are forced to reveal new exposures highlights the lack of good logging and monitoring of network telemetry.”

To gain access to the information, the thieves attained a collection of information about people — from outside the IRS — such as dates of birth, addresses and social security details, before using this to clear a multistep authentication process on the ‘Get Transcript’ app.

“This case highlights how easy it is for criminals to find, steal or guess information necessary to bypass perimeter protections,” said Leo Taddeo, CSO of Cryptzone, and former special agent in charge of the special operations/cyber division of the FBI’s New York office.

“Even security questions, such as ‘what was your high school mascot?’ pose no real security challenge in an era where many people are posting the details of their lives on social media.

“It definitely shows the need for network defenders to go beyond user names and passwords to protect sensitive data.”

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com