Security Advisor

IRS Data Breach Victim Number Much Higher than Originally Thought

The incident also highlights the growing trend of attackers using Big Data to access personal information.

The high-profile breach of the IRS Get Transcript app in May might have affected more than 330,000 individuals, the government agency reported on Monday.

The latest report triples the initial 110,000 individual estimate that was given when news of the breach first broke. According to the findings earlier in the year, thieves had broken into the IRS network and gained access to personal information through the agency's Get Transcript app -- a service that would allow for taxpayers to pull up online or have mailed tax transcript information from previous years.

According to the IRS, attackers were able to steal personal tax information by first obtaining individual private data, including Social Security numbers, birthdates and addresses, from outside sources. The thieves were then able to access personal Get Transcript tax information by bypassing the multistep authentication with the aid of the previously stolen data. With confidential tax data and Social Security information, identity thieves could apply for many types of loans in the victims' names.

The IRS disabled the Get Transcript service shortly after learning about the breach.

On Monday the IRS said that it is sending letters to potential victims alerting them of the situation and will be offering free credit monitoring services to those who might have been affected. It is also continuing its investigation into the party responsible.

"The IRS takes the security of taxpayer data extremely seriously," the agency said. "We are working to continue to strengthen security for `Get Transcript,' including by enhancing taxpayer-identity authentication protocols."

What's interesting about the IRS incident is that the breach wasn't a breach in the traditional sense -- attackers did not disable or bypass security features. They used previously mined data to answer authentication questions correctly. This shines a light on one of the darker aspects of the growing use of Big Data, argues Ken Westin, senior security analyst for Tripwire.

"This is a perfect example of how unrelated data breaches imperil us all," said Westin. "Cybercriminals have identified ways to correlate and aggregate data compromised in other breaches to increase their profits. The information that was used such as  Social Security numbers, date of birth, tax filing status (married or not) and street address is the same type of information that we have seen compromised by Anthem and a handful of other breaches."

Using stolen data to legitimately bypass security procedures also brings up another interesting point that was highlighted this week: Without having an identifiable entry point, it's hard to get an initial accurate scope of how big a number of those affected might be.

Commenting on this, Jeff Hill, channel manager at security firm STEALTHbits Technology, said that the amount of time it takes to fully grasp the size of the incursion makes the practice of using stolen data to log into an account makes it a favored method for attackers.

"One of the reasons authentication-based attacks are so effective – and so popular among hackers -- is that they're very difficult to identify," said Hill. "Once legitimate credentials are obtained, it's nearly impossible to distinguish between the good guys and the bad guys, especially if the attackers are patient and disciplined. Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach's damage months later."

About the Author

Chris Paoli is the site producer for and


  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.