Yesterday, The IRS announced that they had shut down an online service for obtaining tax records after they had determined that “unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application.” According to the IRS statement “access was gained to more than 100,000 accounts through the Get Transcript application.”
The information was not taken through a direct hack, but most likely through the exploitation of a weak authentication system used by the IRS to protect access to taxpayer data. The Get Transcript Online service allows taxpayers to get tax account transactions, line-by-line tax return info, or wage and income reported to the IRS for a certain tax year. The system requires a Social Security number and an active e-mail address to get started, from there it asks a series of questions about personal, financial, and tax info before being able to utilize the service. Knowledge-based authentication is very vulnerable to fraud because it uses information that doesn’t change and most of the information is readily available to people who want it bad enough.
Other than the 100,000 taxpayers whose data was stolen, there were another 100,000 who had unsuccessful attempts made at accessing their information using their Social Security numbers. The IRS will be sending a letter all 200,000 taxpayers affected, “notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application.” The IRS is offering free credit monitoring “to ensure this information isn’t being used through other financial avenues,” the IRS statement says. The taxpayers affected will also have their accounts monitored for fraud for this and the 2016 tax reporting periods. Unfortunately, there isn’t much the people affected can do other than closely monitor their accounts and change any of their information that they can.