Hackers Build Profiles From Breached Data to Attack IRS Get Transcript Tool

The IRS’s Get Transcript Tool has once again been used by hackers in the run up to tax season and their success rate was shocking. By pooling the information of over 460,000 taxpayers, hackers were able to set an automated bot program loose and successfully obtained over 100,000 e-file PINs. Those PINs would have let the hackers file fraudulent tax returns weeks before unsuspecting taxpayers even had the chance to submit their own.

If this sounds familiar, last year the same Get Transcript tool was used to gain information on American citizens in order to submit fraudulent tax returns. This year, the tool has been leveraged to obtain the very Identity Protection PINs that were lauded last year as a way for tax payers to protect their accounts and private information. What did the hackers use in their automated attack? Just the name, address, date of birth and Social Security Number – and thanks to countless breaches, some even at the highest levels of the American government, this information is not hard to find. The good news is that the IRS did detect and shut down the bot, preventing them from getting additional PINs, and locked those accounts so those fraudulent PINs could not be used to submit a tax return. Affected taxpayers are being contacted by the agency.

In a Senate Financial Services Committee hearing, IRS Commissioner John Koskinen wanted to put the attack, identified in and stopped this January, in perspective: the systems used by the IRS are attacked or pinged a million times a day, most frequently targeted every January and February. Koskinen explained that these are not one-time events, and attacks will happen again. Hackers of course consider the IRS systems to be one of the largest internet honey pots out there.

Even with that warning, it must be understood that two years of back-to-back breaches is a huge blow to taxpayer confidence in a system that is supposed to handle our most private information. The IRS also said they are marking affected accounts in order to protect them from identity theft, but there’s no clear information on what that means or how it will help so long as their authentication methods don’t change. The very PINs championed last year were obtained this year using information taken from other, unrelated data. These are the very scenarios that internet security experts have been warning would happen if fundamental changes to authentication methods weren’t made.

It’s clear: if the data is out there, it will be used. Why are we making it easier for hackers? So long as key security measures rely on easily obtained, personally identifying information, breaches of this magnitude, containing ever-more private information, will keep happening. We have to devalue that cheap, easy to come by data and approach authentication in an entirely new way or these headlines will keep appearing every spring, and in every industry.