IRS Data Breach Victim Number Much Higher than Originally Thought
The incident also highlights the growing trend of attackers using Big Data to access personal information.
The high-profile breach of the IRS Get Transcript app in May might have affected more than 330,000 individuals, the government agency reported on Monday.
The latest report triples the initial 110,000 individual estimate that was given when news of the breach first broke. According to the findings earlier in the year, thieves had broken into the IRS network and gained access to personal information through the agency's Get Transcript app -- a service that would allow for taxpayers to pull up online or have mailed tax transcript information from previous years.
According to the IRS, attackers were able to steal personal tax information by first obtaining individual private data, including Social Security numbers, birthdates and addresses, from outside sources. The thieves were then able to access personal Get Transcript tax information by bypassing the multistep authentication with the aid of the previously stolen data. With confidential tax data and Social Security information, identity thieves could apply for many types of loans in the victims' names.
The IRS disabled the Get Transcript service shortly after learning about the breach.
On Monday the IRS said that it is sending letters to potential victims alerting them of the situation and will be offering free credit monitoring services to those who might have been affected. It is also continuing its investigation into the party responsible.
"The IRS takes the security of taxpayer data extremely seriously," the agency said. "We are working to continue to strengthen security for `Get Transcript,' including by enhancing taxpayer-identity authentication protocols."
What's interesting about the IRS incident is that the breach wasn't a breach in the traditional sense -- attackers did not disable or bypass security features. They used previously mined data to answer authentication questions correctly. This shines a light on one of the darker aspects of the growing use of Big Data, argues Ken Westin, senior security analyst for Tripwire.
"This is a perfect example of how unrelated data breaches imperil us all," said Westin. "Cybercriminals have identified ways to correlate and aggregate data compromised in other breaches to increase their profits. The information that was used such as Social Security numbers, date of birth, tax filing status (married or not) and street address is the same type of information that we have seen compromised by Anthem and a handful of other breaches."
Using stolen data to legitimately bypass security procedures also brings up another interesting point that was highlighted this week: Without having an identifiable entry point, it's hard to get an initial accurate scope of how big a number of those affected might be.
Commenting on this, Jeff Hill, channel manager at security firm STEALTHbits Technology, said that the amount of time it takes to fully grasp the size of the incursion makes the practice of using stolen data to log into an account makes it a favored method for attackers.
"One of the reasons authentication-based attacks are so effective – and so popular among hackers -- is that they're very difficult to identify," said Hill. "Once legitimate credentials are obtained, it's nearly impossible to distinguish between the good guys and the bad guys, especially if the attackers are patient and disciplined. Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach's damage months later."