100K taxpayers compromised in latest IRS hack
Some changes are clearly in order at the cybersecurity department of the U.S. Internal Revenue Service. Less than six months after admitting that hackers pilfered personal information about more than 300,000 individuals from its website, the agency has revealed that another 101,000 accounts were compromised in a similar attack a few weeks ago. The breach occurred shortly before a mysterious outage disabled electronic tax return filing for two days.
To dispel potential concerns, the IRS clarified in a statement that the two incidents are believed to be unrelated. The alert goes on to detail that the hackers employed Social Security Numbers harvested from an external source, likely one of the numerous private companies that were breached over the last few months, to exploit the E-Filing PIN form on its website. Taxpayers have to submit the application in order to receive a personalized code that is used to verify the authenticity of their return claims.
The assimilants presumably sought to replicate the success of the first attack against the IRS last year, which yielded an estimated $50 million in unlawful refunds along with a treasure trove of personal details. Thankfully, however, the agency says that the leak didn’t affect much else besides the PINs of the 101,000 compromised accounts. That should provide some limited measure of comfort for the affected taxpayers, although the methodology of the hack raises bigger questions about the IRS’s cybersecurity.
The agency said that the attack employed a bot programmed to automatically input SSNs and other requisite information from its creators’ stolen data cache into the E-Filing PIN application. Only one out of four attempts was successful, meaning that more than 400,000 requests were made before the IRS managed to detect the effort. This seems to suggest that its website, or at the form tool, lack a reliable mechanism to protect against brute-force attacks. Considering that even e-commerce stores often block access after a certain number of repeated actions like failed logins, the absence of such a system constitutes a major failure on the agency’s part.
The issue reflects the broader need for better security in the public sector amid today’s growing cyber threats. The repercussions of poor network protection became all too clear after the breach at the Office of Personnel Management last year, which reportedly saw Chinese hackers make away with the records of 18 million federal employees, many of whom hold security clearances.
Image via JavadR
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU