At least 100 000 American taxpayers have had their security compromised via a breach in the Internal Revenue Service (IRS) systems. The IRS has announced that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorised access to information on approximately 100 000 tax accounts through IRS’ “Get Transcript” application.
This data included Social Security information, date of birth and street address.
According to a statement from the IRS, these third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily.
The IRS will provide free credit monitoring services for the approximately 100 000 taxpayers whose accounts were accessed. In total, the IRS has identified 200 000 total attempts to access data and will be notifying all of these taxpayers about the incident.
The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorised third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100 000 accounts through the Get Transcript application.
In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.