IRS Data Breach Exposes Tax Returns and Weak Security

The IRS announced yesterday that it had suffered a data breach with allowed criminals to gain access to the tax return information of more than 100,000 tax payers. That information could have then been used to file fraudulent returns -- and receive fraudulent refunds.

The hacking, which was limited to one IRS application, exposed weaknesses in the Service's authentication system and emphasizes the continued risks associated with the loss of personal information in other data breaches.

Not the Toughest Lock to Break

The attackers targeted the IRS's Get Transcript application, which provides tax return and payment data. Get Transcript can also provide tax account transactions, return information, and reported wages and income. To obtain the information, the attackers needed to provide Social Security numbers, an active email, and personal, financial and tax information before tax transcripts would be released, according to Ars Technica. They attempted to access more than 200,000 accounts, succeeding half the time.

The IRS describes the operation as sophisticated. The IRS commissioner is "confident that these are not amateurs" but rather "organized crime syndicates," according to The New York Times. But, you don't have to be a master hacker to break through the IRS authentication process. Much of the information needed to access the accounts could be found from public sources or purchased from criminals online.

The Trouble With Knowledge-Based Authentication

The IRS's Get Transcript application used what is called "knowledge-based authentication." This is the type of proof of identity questions one might asked when checking their credit score for example. What is your Social Security number? When were you born? Where was your last return filed from? The problem with knowledge-based authentication is that much of that information is public or available for purchase from hackers, according to a recent analysis of weaknesses in the IRS's system.

That seems to be what happened in this case. The attackers cleared "a multi-step authentication process" requiring knowledge-based authentication using "taxpayer-specific data acquired from non-IRS sources." The source of the authentication data could have been any of the recent breaches, highlighting the risks that can arise once one's personal information is stolen. The IRS is contacting the 200,000 people whose accounts had attempts at unauthorized access and providing free credit monitoring to the 100,000 taxpayers whose information was accessed. Expect the lawsuits to begin shortly.

To prevent data theft and potential identity fraud, experts recommend adopting more robust authentication and safety procedures. In the meantime, consumers are advised to monitor their credit and sign up for potentially sensitive government accounts, such as by creating a Social Security Administration account, before crooks beat them to the punch.

Related Resources:

• 5 Questions About the IRS Data Breach (The Wall Street Journal)
• Reset The Net: Keeping Eyes Off Your Online Activity (FindLaw's Technologist)
• We Asked and We Received: Twitter Gets Two-Factor Authentication (FindLaw's Technologist)
• Microserf Proposes Solving Tech Problems With Medieval Law (FindLaw's Technologist)