US tax man admits 100,000 records fraudulently downloaded in data breach

Tax authorities in the US have revealed that the personal tax records of up to 100,000 people have been stolen. 

The Internal Revenue Service (IRS), the Federal government's tax collecting authority, said yesterday that criminals used a system called “Get Transcript” to illegally download the tax details.

The transcripts can be used to claim fraudulent tax refunds.

The thieves had to negotiate an authentication system that included taxpayers' names, dates of birth, street addresses and Social Security (national ID) numbers. This kind of data about individuals is reportedly available for sale on the dark web.

IRS commissioner John Koskinen insisted that this was not the work of amateurs. “These actually are organised crime syndicates that not only we, but everybody in the financial industry, are dealing with,” he said.

Despite safeguards, the IRS believes that it paid out US$5.8 billion ( £4 billion) in fraudulent tax refunds in 2013. It blames organised crime in the US and abroad for around 80 percent of fraud.

US congressmen lined up to bash the IRS for the data breach.

Senator Orrin Hatch, a Republican from the state of Utah and chairman of the Senate Finance Committee, said the IRS had been repeatedly warned about inadequate security. 

UPDATED: Paul McEvatt, Senior Cyber Threat Intelligence Manager at Fujitsu UK and Ireland commented: "Whilst the IRS hack wasn't [a hack] in the traditional sense as the attackers used a legitimate service, it does highlight why data is seen as valuable to criminals as credit card information. The hackers were privy to  a wealth of personal information in order to carry out this data breach and as a result this will open up further avenues for identity theft and personal information for malicious intentions." 

And Geoff Webb, senior director, solution strategy at NetIQ, the security portfolio of Microfocus, said: "We've been saying this for a long time – that we need to move beyond simple passwords and 'personal questions' to verify who a person is, simply because too much of that information is now available to everyone.  This hack is a clear example of what will happen if we don't evolve quickly to improve how we authenticate – using more factors such as behavioural, biometric, and physical tokens."