back to article THE TRUTH: IRS 'cyber-hack' exposes 100,000 people whose identities were already stolen

The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year. The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS's online "Get …

  1. Mark 85 Silver badge

    Hmm.... 100,000 ex's maybe?

    There's a lot of ex's who would take revenge anyway they could and this might one way. But if they have that much info to start, just opening a few accounts somewhere in the other persons name and not paying will destroy a credit report.

  2. Anonymous Coward
    Black Helicopters

    WAG

    It appears to me (WAG time) some is building a data warehouse from multiple breaches rather than than just one breach. If the victim information came from just one breach, that's mildly scary since we haven't had such a report. If warehoused, that's... seriously scary. It will only get better with age.

    1. JustWondering

      Re: WAG

      What is scary is the people on facebook giving up all sorts of information playing these fun games. What's your mother's maiden name, what's your first pet's name, etc.

      Just today I had an email offering a checkstub service so I can print them out on my computer. "We just need a little information ..."

      1. Eddy Ito

        Re: WAG

        It is not known how the personal information used to fill out the transcript requests was gathered, or from where.

        Outside of the SSN it's typically public information that's available online. Oftentimes the mark will help out by posting it on their little piece of the interweb along with a link to their mother and her brother who just so happens to also have her maiden name on his page. Huh, go figure.

        The elephant in the room is, as you say, whether anyone is doing any linking to other data breaches like Home Depot or Target. Perhaps it's not about maxing out a bunch of $20k credit cards and heading to a white sandy beach but building up a sizable enough portfolio of current data that if used properly and all at once could take down an economy. Think of it as a run on credit which would be analogous to a run on the bank only backward. Would printing more money solve the problem. Where's the house economist?

  3. wub

    Thanks

    Seriously, thanks once again for reporting responsibly and with enough detail to give readers a chance to reach our own conclusions.

    I'm a Yank, and I could be in the affected group. On a side note, your report is the first I've seen (so far) and you've given me the opportunity to be in a position help those near me to avoid the panic the fear mongers are so likely to stir up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thanks

      Heard this reported on the evening news tonight, and they did indeed say the IRS was hacked. Journalists are so ignorant of technology it annoys me until I realize they are ignorant about all other fields as well. They aren't exactly getting the best and brightest, especially given the falling prestige of that career.

      1. Christoph

        Re: Thanks

        Journalists' job is not to report the news accurately. It is to attract eyeballs to sell to advertisers. If they can make a story more sensational at the expense of the truth it is their job (within very broad limits) to do so.

  4. Stevie Silver badge

    Bah!

    It's not about the hackers "viewing your 1040EZ" you blithering twit. It's about having someone file a fraudulent tax return in your name next year and making off with a sizable refund check and leaving you,the hacked, on the hook for it all until it gets sorted out, which can take forever but in the meantime you still have to make good and the IRS works - legally - on the principle of guilty until you prove otherwise.

    1. BruceR

      Re: Bah!

      Did you somehow skip "you probably have other things to worry about than whether"?

      1. Stevie Silver badge

        Re: Bah!

        No. The BBC World Service article on the story is rather more clueful than El Reg's. Also, this is not a new scam, it just becomes easier if the IRS doesn't guard their cupboard of goodies properly.

  5. Anonymous Coward
    Anonymous Coward

    KBA failure

    Knowledge-based authentication is no longer a viable method of determining identity. This may not have been a 'hack' in the strict sense, but it does illustrate a rolling zero-day in the IRS mechanism, and as such, its effect is the same as if their systems had been breached electronically.

    There is no quick fix for this, no techno-bandaid like 2FA will change the fundamental problem that the IRS is broken administratively, legally, and technologically.

  6. Mike 16 Silver badge

    Social Security Number, date of birth, marital state, home address,

    That is, information available to anyone in the HR department of your employer.

    I'd hazard a guess that the rest of the "personal information known only to..." is pretty easy to obtain these days with a couple web-searches.

    "Secret Questions" are the weakest link of any authentication scheme. One should at _least_ be able to opt out of that method of authentication. (Yes, I know I could lie, and then put my lies in a password manager, or a post-it note, but then we are back to "no better than a password, but more hassle")

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021