Maksim Kabakou - Fotolia

High-value personal data targeted in 100,000 US taxpayer data harvest

Hackers who harvested 100,000 US taxpayers’ personal data using data from previous breaches were targeting high-value personal data, say experts

Hackers who harvested 100,000 US taxpayers’ personal data using data from previous breaches were targeting high-value personal data, according to security experts.

The US Internal Revenue Service (IRS) said the hackers used data from non-IRS sources to gain unauthorised access to the agency’s “Get Transcript” feature from February to mid-May 2015.

The agency believes the data thefts are part of a planned larger campaign to make fraudulent claims for tax refunds using the stolen identities, reports SlashGear. According to the IRS, more than $5.8bn in fraudulent refunds were made in 2013.

Security experts said the breach underlines the need for strong online authentication, and is an example of a compound breach because hackers used data gleaned from social media and potentially other breaches to abuse the online feature that enables US taxpayers to get copies of past tax returns.

The hackers used the data to answer security questions in the multi-step authentication process used by the “Get Transcript” feature.

The IRS admits more than 200,000 attempts were made from “questionable” email domains, with more than 100,000 of those attempts successfully clearing authentication.

The agency is sending letters to all 200,000 potential victims of the attack campaign and has undertaken to provide credit monitoring for victims.

The IRS has also taken the “Get Transcript” feature offline, which means future applications for tax transcripts will have to be made by post or at an IRS office.

The agency said the main computer system that handles tax returns remained secure and that the “Get Transcript” feature abuse was under criminal investigation.

“Obviously, this is not easy to stop since we’re dealing with people who are buying a lot of equipment and hiring sophisticated people,” IRS commissioner John Koskinen was quoted as saying by Nextgov in reference to the fact that most identify theft is carried out by well-resourced organised crime gangs.

Internet a database of personal information

According to Vasco Data Security vice-president John Gunn, the incident highlights a change that has occurred in the market for stolen data.  

“Social security numbers are becoming the primary high-value target of hackers because they are worth 10 times as much as credit cards and they are protected by a fraction of the security of banking assets," he said.

“This will obviously have to change or we will see an increasing number of victims.” 

Gunn said that like many global banking institutions, the IRS should use a simple one-time password to protect taxpayers from identity theft.

Read more about Verify

Tripwire senior security analyst Ken Westin said the incident also highlights that the internet has become a database of personal information, and that one breach can easily feed another.

“Unfortunately, the high number of large-scale data breaches has essentially transformed our personal information into public information; and this data should not be used as security or authentication checks,” he said.

HyTrust president and co-founder Eric Chiu said the incident is a “wakeup call” that breaches have a compounding effect and the stakes are getting higher.

“Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals," he said.

"The outcome of this could be devastating to consumers – attackers can potentially open new accounts, siphon-off funds and ultimately steal the identities of the victims.”

Chiu believes attacks of this nature present a huge risk to the global economy. “It’s clear organisations need to do more to protect against this threat,” he said.

Secure Channels CEO and co-founder Richard Blech said the breach could have been prevented if the IRS had used proper authentication using biometric multi-factors and deep encryption for all customer-sensitive data.

“Had the breached taxpayers’ sensitive information been encrypted, even if the hackers somehow bypassed a strong multi-factor authentication requirement, this would be a non-news event as the hackers would have left with completely useless, non-decryptable data,” he said.

Trust in government agencies

The underlying weakness in the IRS and other government website portals is they rely on knowledge-based authentication, according to Proficio president and CEO Brad Taylor.

“The answers to questions like what is your address can be purchased from cyber crime sites or just researched on the internet," he said. "The IRS needs to add more context to their challenge questions and monitor attempted access for suspicious behavior like multiple sign-ups from the same IP address."

We expect government agencies to have sufficient systems in place to authenticate users, and only grant authorised parties access to our data

Graham Cluley, independent security consultant

Independent security consultant Graham Cluley said that what make this security breach worse is that the IRS and tax agencies around the world are not organisations anyone can choose not to share their personal data with.

“We all place our trust in government agencies that they will hold our information securely, and keep it out of the hands of unauthorised parties and criminal actors. We expect such agencies to have sufficient systems in place to authenticate users, and only grant authorised parties access to our data,” he wrote in a blog post.

Providing strong online authentication is the main motivation behind the UK government’s Verify identity and access management service.

The service enables users to choose their preferred option of nine suppliers when verifying their identity.

The Government Digital Service launched the Verify service in 2014 as part of the its digital transformation of government services, to enable the public to access government services digitally and from one online location.

The Verify service improves the safety of online digital transactions with government, as the user’s personal data is not centrally stored and the identity provider cannot share to third parties without the user's consent.

The Department for Environment, Food and Rural Affairs was the first to implement the scheme, to allow farmers to submit farm information and claim subsidies.

HM Revenue & Customs followed with a trial of the service to help the public complete their online self-assessment tax returns.

Towards the end of 2014, the government predicted the service would be used by almost half a million people by April 2015 for services such as Universal Credit claims and updating driving license details for the Driver and Vehicle Licensing Agency.

Read more on Privacy and data protection