Criminals have infiltrated the United States' Internal Revenue Service (IRS) systems, stealing the tax records of around 100,000 taxpayers through the IRS website's Get Transcript application.
The good news is that attackers didn't steal the information via a direct hack or unpatched hole in the IRS' systems. The bad news is that weak authentication of taxpayer information contributed to the data theft, with the thieves accessing accounts via stolen personal information that was likely acquired through a data marketplace.
The Get Transcript application is a feature of the IRS' website that allows taxpayers to download their tax return and tax payment data. To access this information, a user simply needs to enter an email address and Social Security number, followed by some personal verification information that included the user's date of birth, address and tax filing status.
This type of verification system is vulnerable to fraud as the personal information used for verification never changes. If a criminal can gain access to this information, such as through a breach of another system, they can simply enter it into the IRS system to gain easy access to tax and income information.
Thieves attempted to access around 200,000 accounts through the Get Transcript application, however half of the verification data in the hands of the thieves was incorrect. The IRS will be sending letters to all 200,000 affected citizens, notifying them of the third-party theft of their Social Security numbers and attempted unauthorized access of their accounts.
The IRS will also offer free credit monitoring to all the affected taxpayers to ensure any stolen data isn't being used for fraudulent activity. On top of this, the IRS will mark all affected accounts in their systems as potential targets for identity theft.
While the IRS notes that "this issue does not involve its main computer system that handles tax filing submission", the government agency has temporarily shut down the Get Transcript application to prevent further misuse. The IRS states that they will work "aggressively" to protect affected taxpayers and strengthen their security systems going forward.