4 min read

Over 100,000 E-File PINs Fraudulently Accessed In Automated Attack On IRS App

Personal data stolen from other sources was used in attack agency says

The IRS Tuesday said it has stopped an automated attack in which cyber criminals used social security numbers and personal data stolen from elsewhere to generate personal identification numbers (PIN) required for filing taxes electronically for over 101,000 individuals.

In total, stolen SSNs and personal data was used to try and access an E-File PIN for some 464,000 individuals, the IRS said. The incident, involving what the IRS described as an “automated bot” happened last month but it wasn’t immediately clear how quickly the attack was spotted and stopped.

Though the stolen SSNs were used successfully to generate PINs for 101,000 individuals, no personal data was accessed or stolen from IRS systems itself, the agency said. All affected taxpayers are being notified by mail about their personal information being fraudulently used to generate an E-File PIN. Accounts belonging to the affected individuals have also been marked up to protect against tax-related fraud, the IRS said.

This is the second time in less than a year that cybercriminals have used data stolen from other breaches to try and access taxpayer data in IRS systems presumably to commit tax fraud—like claiming illegal refunds.

Last May, the agency revealed that it had been the victim of an almost identical attack involving the use of personal data stolen from other sources. In that case though, the attackers targeted an IRS application dubbed  “Get Transcript” that basically gives taxpayers a way to get copies of previous year tax returns and transcripts of other records. Initially the IRS claimed the attack had netted the perpetrators full tax account records of some 100,000 people. But later estimates pegged the actual number of affected individuals at around 330,000.

Analysts at that time had pointed to the IRS’s relatively weak user authentication mechanisms for allowing attackers to gain access to the records.

The same concerns have surfaced following news of the most recent attack on an IRS application.

 “The most important thing to note from this attack is that the fraudsters used information that they had stolen previously to gain access to more consumer data,” says Armen Najarian, chief marketing officer at security vendor ThreatMetrix. “Fraudsters have the opportunity to use the information they have stolen or purchased from the dark web to either file fraudulent returns or to enhance their database of PII data for future crimes,” he said in comments to Dark Reading.

“In a digital first, connected world, the traditional methods of identity validation and authentication are irrelevant and companies must find a way to establish true user identity without impacting other customers,” Najarian says.

Such incidents highlight the need for individuals to take their personal privacy and credit protection more seriously says Chris Ensey, COO of Dunbar Security Solutions.

Most individuals are not aware of the extent of the potential damage to personal and professional lives that can be caused by identity theft. “For the enterprise, it should be clear that knowledge based authentication that leverages credit history for a means of second factor, cannot be trusted.  There is far too much end user credit data out there in the open,” Ensey says.

News of the latest cyber attack on the IRS comes just a week after the agency reported major system performance issues that rendered it temporarily unable to receive tax returns.

Related content:



Interop 2016 Las Vegas Find out more about cybercrime at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.