The Internal Revenue Service on Tuesday said it recently discovered and halted an automated bot attack on its electronic filing PIN application website.
Identity thieves used malware in an attempt to generate E-file PINs for 464,000 Social Security numbers stolen from another source, the IRS said. The hackers succeeded in accessing an E-file PIN for 101,000 of those numbers.
No personally identifiable information was compromised or disclosed by its systems, the IRS said. It will mail notifications to let affected taxpayers know that their personal information was used to access the IRS application.
IRS cybersecurity experts are assessing the incident, and the service is working closely with other agencies and the Treasury Inspector General for Tax Administration. It also is sharing information with its Security Summit state and industry partners.
The attack was not related to a temporary outage of IRS processing systems that occurred in January, the IRS said.
The announcement comes less than a week after the IRS website experienced brief system outages due to a hardware failure. The outages affected electronic return processing, as well as several other systems provided by the service.
Large commercial enterprises also can find themselves vulnerable when targeted by sophisticated cyberattacks, noted Eric Chiu, president of HyTrust.
Both public and private sector organizations can “host large amounts of personally identifiable information that hackers can monetize once stolen,” he told the E-Commerce Times.
The information they may possess about citizens, employees and veterans could make them a target not only for financial information theft, but also for theft of information that could be used for identity fraud, as well as for activities that could impact political and national defense operations.
Taxpayers need to check financial statements to make sure their Social Security numbers have not been used to help an attacker engage in any fraudulent activity, or to lure the taxpayer into a scam, Chiu said.
Beware of Phishing Exploits
Another potential risk is that attackers may use stolen Social Security numbers to contact taxpayers directly and pretend that the communication is from a legitimate government organization. The IRS has heightened its usual warnings during tax season, emphasizing that it does not call taxpayers by telephone and cautioning that attackers may attempt to use deceptive means, including bogus email, to engage with taxpayers.
The FBI last year launched an investigation into a massive attack on the IRS, which compromised personal data belonging to more than 100,000 taxpayers. The hackers accessed data they found through the Get Transcript application, which allows taxpayers to access prior-year tax transcripts and employer payment information.
Although the federal government has taken steps to increase protection against illegal hacking activity, it lacks the proper incentives to take the steps necessary to protect itself against repeated incidents, suggested analyst Jeff Kagan.
“Since the IRS is a government agency and not a business, they have no competition,” he told the E-Commerce Times. “Users cannot just switch to an organization that is safer. Because of that, there must be a lower sense of urgency regarding this information.”