August 18, 2015 —
A
hack of the Internal Revenue service first reported in May was nearly three
times as large as previously stated, the agency said Monday.
Thieves
have accessed as many as 334,000 taxpayer accounts, the IRS said.
In
May, the IRS reported that identity thieves were able to use the agency's Get
Transcript program to get personal information about as many as 114,000
taxpayers.
On
Monday, the IRS said an additional 220,000 accounts had also been hacked. In
all, 334,000 accounts were accessed, though whether information was stolen from
every one of them is not known.
The
hackers made use of an IRS application called Get Transcript,
which allows users to view their tax account transactions, line-by-line
tax return information or wage and income reported to the IRS for a specific
tax year.
To
enter the Get Transcript system, the user must correctly answer multiple
identity verification question.
The
hackers took information about taxpayers acquired from other sources and used
it to correctly answer the questions, allowing them to gain access to a
plethora of data about individual taxpayers.
The
Get Transcript service was shut down in May.
Hackers
love authentication-based systems because it's very difficult to distinguish
between "the good guys and the bad guys" when someone is trying to
get in, said Jeff Hill of STEALTHbits Technologies, a cyber security company.
"Here
we have a case where a successful authentication-based attack was discovered in
May, and yet the IRS is still unclear of the extent of the breach’s damage
months later. Even now, how confident is the IRS they fully understand the
extent of the attack completely, or should we expect yet another shoe to drop
in the coming weeks?” Hill said.
Notification
of the increased number of hacked accounts came Monday.
In
a statement the agency said, "as part of the IRS's continued
efforts to protect taxpayer data, the IRS conducted a deeper analysis over a
wider time period covering the 2015 filing season, analyzing more than 23
million uses of the Get Transcript system."
That
analysis revealed an additional 220,000 accounts had also potentially been
accessed.
In
addition to accounts the hackers were successfully able to access, the IRS
disclosed hack attempts that didn't succeed. There were 111,000 attempts
on accounts disclosed in May and 170,000 disclosed on Monday, for a total of
281,000 of accounts where the hackers "failed to clear the authentication
processes," the agency said.
Taxpayers
whose information was potentially breached will get letters in the mail from
the IRS in the coming days.
They
will also get access to free credit protection and Identity Protection PINs,
the IRS said in a statement.
From
USAToday
No comments:
Post a Comment