The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.
Commissioner John Koskinen, discussing whether the breach would interfere with tax collection, told journalists “a significant percent of those taxpayers already had their information in the hands of criminals”, according to a report of a Q&A session after a speech at the Service's "Security Summit".
In his prepared remarks, the commissioner said "We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft. This dramatic decline helped prevent hundreds of thousands of taxpayers from facing the challenge of dealing with identity theft issues."
But that still leaves as many as 100 million individuals at risk of Equifax-sourced data giving them problems beyond the IRS. Koskinen added that Americans should assume their data is in criminal hands and act accordingly.
As we reported at the time of the mega-breach, not everything Equifax knew about Americans was leaked: “only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans”.
It later emerged that the patching error that left the credit reporting company trouserless was common, with estimates that as many as 50,000 organisations downloaded still-vulnerable Apache Struts 2 packages after the software was patched against CVE-2017-5638.
Koskinen promised taxpayers the IRS wouldn't end up on the breach list, given how much “sensitive personal information has fallen into the hands of criminals recently”.
The Register decided a reality test was in order, and asked Troy Hunt (who maintains the HaveIBeenPwned database of breached accounts) whether Koskinen's remarks ring true.
“I think that would be just under one-third of the population … it may be fractionally on the high side,” Hunt said.
However, any general statement that “what's technically called a sh*tload” of Americans were already pwned is “probably accurate”. ®