The IRS initially claimed hackers had accessed information of 100,000 taxpayer accounts. On Monday, the Internal Revenue Service now says that hackers may have accessed as many as 334,000 taxpayer accounts in total, over three times the initially reported estimate.
It was late May when the IRS revealed that 114,000 American taxpayers’ accounts were illegally accessed by cyber criminals during the four months prior to May, with a further 111,000 unsuccessful attempts made to access accounts.
Significantly, a new review in a statement released by the IRS on Monday now states that an additional 220,000 attempts were made to access sensitive taxpayer data, marking a total of 334,000 taxpayer accounts that were accessed illegally by malicious hackers, reports Reuters.
Additionally, the statement also noted that an additional 170,000 unsuccessful attempts were made by those looking to steal taxpayer information.
A glaring vulnerability is taken advantage of my IRS hackers.
The hackers targeted the “Get Transcript” application that was available online and has since been shut down after the breach. As a feature, it allowed taxpayers to access information from previous tax returns.
“In May, the IRS determined unauthorized third parties already had sufficient information from a source outside the tax agency before accessing the “Get Transcript” application. This allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the IRS said in a statement.
Hackers favor such multi-step authentication systems because it makes it hard to distinguish between “the good guys and the bad guys”, according to Jeff Hill, a cybersecurity expert at a private firm.
As mentioned in the statement above, the hackers were able to acquire taxpayer information from external sources before using it to correctly answer the multi-step authentication questions.
“Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach’s damage months later. Even now, how confident is the IRS they fully understand the extent of the attack completely, or should we expect yet another shoe to drop in the coming weeks?” says Hill.
The breach resulted in some 15,000 fraudulent returns processed in the 2015 tax filing season, with the agency issuing refunds of nearly $50 million, as reported in May. Considering the new figures following the data breach response review, an IRS official describes that the agency is currently reviewing the possibility of more fraudulent cases and added that such an operation would require a manual review of all individual returns.
The IRS also added that taxpayers whose information was likely breached will be getting letters via mail from the agency in the coming days. The same taxpayers will also get access to free credit protection and Identity Protection PINs, the IRS added in their statement which can be found here.