Tax Commissioner Expects More IRS CyberattacksLatest Attack Targeted System Used to Generate E-Filing PIN
The Internal Revenue Service in January was the victim of yet another hacker attack, and IRS Commissioner John Koskinen acknowledges that more such attacks should be expected.
See Also: Secure Access in a Hybrid IT World
"We have to recognize that this is going to be an ongoing problem," Koskinen testified at a Feb. 10 Senate Financial Services Committee hearing, adding that IRS systems are attacked or pinged 1 million times a day. "The caliber of the enemy we are facing is increasingly more sophisticated and more global. We're dealing with organized crime syndicates all around the world."
On Feb. 9, the IRS said it identified and halted a January attack, generated by an automated bot, on its Web application that taxpayers use to produce personal identification numbers for electronic tax filings. Using personal information stolen elsewhere, the attackers used malware to produce electronic filing PINs so they could file for false tax refunds, according to an IRS statement.
The IRS says it's notifying affected taxpayers by mail that their personal information was used in the latest attempt to access the IRS application. The agency says it's protecting those taxpayers' accounts by "marking them to protect against tax-related identity theft."
The IRS says it identified unauthorized attempts involving some 464,000 Social Security numbers, including 101,000 that were used to successfully access e-file PINs. No personal taxpayer information was compromised or disclosed from IRS systems. "They weren't cyber breaches in the sense that our database was accessed," Koskinen says.
In last year's attack on the IRS Get Transcript system, thieves may have accessed as many as 334,000 taxpayer accounts (see IRS Hack Much Wider Than First Thought).
Both attacks represent "sophisticated forms of ID theft," the commissioner says. "The criminals already had all of the personal info of the taxpayer they needed."
Koskinen told the Senate panel the IRS over the past year has toughened its cyberdefenses, in part, through knowledge garnered from an information-sharing program established last year with tax-filing providers and states' taxing authorities. "We have been attempting to move from being solely reactive to pulling together the resources we need and the partnerships we need to try to get ahead of the game, get a head of where the criminals are going," he said.
Attacks on the IRS and tax-preparation companies are seasonal events. "Such operations are especially common starting in January and February, when many employers and financial institutions, among other entities, distribute tax documents," according to iSight Partners, a cyberthreat analysis company. "Fraudulent tax filings in the U.S. will likely increase over the next months leading to the tax deadline."
A year ago, tax preparation software provider Intuit temporarily suspended electronic filings via its TurboTax offering because the service experienced a dramatic increase in suspicious filings and criminal attempts to leverage stolen identities in order to claim tax refunds.
"It is axiomatic that we and every financial institution in the world are under attack," Koskinen says. "That's because criminals already have a vast amount of personal information and they're trying to figure out how to monetize that information."
Security Controls' Deficiencies
Though the attacks on the IRS' e-file PIN application and Get Transcript did not involve a breach of core IRS databases that store details on taxpayers' personal information and finances, a November audit by the Government Accountability Office took the tax agency to task for deficiencies in internal information security controls, including missing security updates, insufficient audit trails and monitoring for certain key systems and the use of weak passwords (see GAO: Taxpayer Data at Increased Risk).
"Until IRS takes the necessary steps to address these control deficiencies, its financial and taxpayer data will remain at increased risk of inappropriate and undetected use, modification or disclosure," Cheryl Clark, GAO director of financial management and assurance, said in the audit report.