The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year.
The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS's online "Get Transcript" feature, which allows taxpayers to access past tax records.
To say that the IRS itself was "hacked" – as some journos squawked today – is more than a stretch. The criminals did not compromise any IRS servers or exploit technical glitches in the Get Transcript feature. Rather, they gathered an obscene amount of personal data from their victims via other means, and then typed that data to the IRS site.
"Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," the IRS told The Reg in an emailed statement.
"The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."
According to the IRS, the data theft operation ran from February through mid-May, when the activity was detected. In total, the IRS said 200,000 attempts to access personal information were made from "questionable" email accounts, about half of which resulted in successfully accessing the Get Transcript function.
It is not known how the personal information used to fill out the transcript requests was gathered, or from where.
"The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation," the IRS said. "The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure."
The IRS has shut down the Get Transcript portal until further notice. The tax authority will also provide free credit monitoring services to those who were affected by the illegal access – and given the nature of the data required for access, they'll need it.
When your Social Security Number, date of birth, marital state, home address, and enough personal background to answer a handful of verification questions has been taken by an identity thief, you probably have other things to worry about than whether they view your 1040EZ.
Again, we would advise those not affected not to panic over any sensationalist "IRS has been hacked!" headlines currently floating around news and social media. This was not a breach of any IRS systems, but rather what appears to be the result of some very extensive phishing/data harvesting from 100,000 unlucky individuals. ®
Sponsored: Ransomware has gone nuclear