Cybercriminals were able to successfully steal tax forms full of personal information of more than 100,000 taxpayers through IRS’ Get Transcript application. This data included Social Security information, date of birth and street address.
The IRS temporarily shut down the Get Transcript application last week after an initial assessment identified questionable attempts were detected on the system in mid-May. The online application will remain disabled until the IRS makes modifications and further strengthens security for it.
Here are some of the comments Help Net Security received.
Grayson Milbourne, Security Intelligence Director at Webroot
This attack on the IRS is yet another example of why businesses, especially high value targets like the IRS, need to take a fully comprehensive approach to cyber security. While we’d normally advice consumers to ask the following questions of the companies they deal with:
- How is my data protected?
- Who is responsible for cyber security?
- What steps are you taking to defend against attacks?
Unfortunately, this data is rarely customer facing and furthermore, consumers shouldn’t bear the burden of ensuring the businesses they deal with are properly secured.
In the case of this breach, it is nice to see that the IRS came forward very soon after the breach occurred. In other recent major breaches, it has taken months to reveal the information to the affected customers. In the case of the IRS breach, the data so far indicates that only 100k records were accessed which is a small fraction of the tax returns handled. Never the less, the IRS has taken steps to disable the service which was exploited using bogus email accounts.
In the day and age of the Internet, it would benefit the IRS to greatly improve security for the digital access to tax information. While convenient for most consumers, this data is also very sensitive and deserves the highest level of protection.
Eric Chiu, President of HyTrust
This is a wakeup call that breaches have a compounding effect and the stakes are getting higher. Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals.
The outcome of this could be devastating to consumers – attackers can potentially open new accounts, siphon off funds and ultimately steal the identities of the victims. Attackers are getting more sophisticated and cybersecurity presents a huge risk to our economy. It’s clear organizations need to do more to protect against this threat.
Dave Palmer, Director of Technology at Darktrace
The sheer number of tax forms pulled from the IRS website is shocking, but the real crux of the attack was the criminals’ ability to masquerade as legitimate taxpayers. They acquired social security numbers, birthdays, physical addresses and other personal data that gave them the keys to the kingdom.
Until we are continuously monitoring the systems that hold this type of information and extremely sensitive to subtle changes in the way users interact with it, we are going to continue seeing this data taken and used against us.
Ken Westin, Senior Security Analyst at Tripwire
We live in a world where the Internet has become a database of ‘you’ and where one data breach can easily feed another. According to the IRS, the data came “from questionable email domains” and at a high velocity of requests. The information that was used to bypass the security screen, including: Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches. Tax filing status can be identified pretty easily if you know whether the person is married or not.
Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information; and this data should not be used as security or authentication checks.
Tsion Gonen, VP of Strategy, identity & Data Protection, Gemalto
This data breach demonstrates the limitations of using static authentication credentials, especially information that cybercriminals are showing they can easily steal and then repurpose for data breaches such as this. Identity theft has been the leading type of data breach, accounting for 54% of data breaches in 2014 according to the Breach Level Index. That is why organizations should use strong authentication methods, such as one-time passwords delivered to mobile devices or phones, when users access accounts online.
Regardless what log-in credentials a hacker may have, they won’t get anywhere without the OTP. But a larger question is whether the stolen data was encrypted or not, especially since this was sensitive financial information.