The Internal Revenue Service said Tuesday evening that it recently identified and halted an automated attack upon its Electronic Filing PIN application on IRS.gov.
Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen Social Security Numbers, according to the IRS. The E-file PIN is used in some instances to electronically file a tax return.
Based on its review, the IRS identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN. The incident, involving an automated bot, occurred last month, and the IRS continues to closely monitor the web application. The IRS said the incident is not connected or related to last week’s outage of IRS tax processing systems (see IRS Systems Outage Shuts Down Tax Processing).
“No personal taxpayer data was compromised or disclosed by IRS systems,” said the IRS in a statement. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application. The IRS is also protecting their accounts by marking them to protect against tax-related identity theft.”
The IRS said its cybersecurity experts are currently assessing the situation, and the IRS is working closely with other agencies and the Treasury Inspector General for Tax Administration. The IRS also is sharing information with its Security Summit state and industry partners.
Last year, the IRS suffered a data breach in its online Get Transcript application during tax season. It remains in limited use this tax season and can only be used to order tax transcripts by mail.
During a hearing before the Senate Finance Committee on Wednesday about the IRS budget with IRS Commissioner John Koskinen, committee chairman Orrin Hatch, R-Utah, raised the matter of the cyberattacks. "We were reminded of these risks last year when data thieves breached the IRS’s own website through the Get Transcript portal and successfully stole the tax records of 330,000 taxpayers," Hatch said. "That is 330,000 taxpayers who now have their most sensitive tax information sitting out there in the hands of criminals waiting to use that information to do further damage this tax year, or the next, or even 10 years from now. We were reminded of this threat yet again just yesterday, when news broke of another large-scale attack against the IRS, but thankfully it appears that the attack was unsuccessful. The Get Transcript breach is going to haunt us for years to come, and, unfortunately, it’s only one of many."
“We had recent activity where we had organized criminals trying to figure out just how to get a filing PIN,” Koskinen told the committee. “All of that data and all of those people's Social Security Numbers that we know have been shared with states and with preparers so they can in fact advise their clients to take appropriate actions.”
He said all those who had been affected by the E-File PIN attack would be receiving letters from the IRS telling them their identities had been compromised.
Koskinen noted that the IRS has been working with the state tax authorities and the private sector tax industry on authenticating taxpayers to curb identity theft. He said some identity thieves have been asking the IRS about why they haven't received their tax refunds. "Talk about chutzpah," he said.
Koskinen said they have "thrown 2,000 people in jail for identity theft," and the IRS has hundreds of cases pending.
Koskinen said more taxpayers should apply for IP PINs, or identity protection personal identification numbers, to protect their identities when filing their taxes, and revealed that there has been little take-up so far on the program, which was originally restricted only to identity theft victims. He said he is one of the few people in the District of Columbia who has applied for an IP PIN. He would prefer to give taxpayers a different number to use than their Social Security Number for filing their taxes, but he said he found out that idea was "easier said than done."