After a long string of attacks against private companies, it became the Internal Revenue Service’s turn to step into the sights of the black hat community this week after a massive attack that claimed the most sensitive private information of over 100,000 tax-paying citizens. The breach saw the agency’s own fraud prevention system turned against it.

Much like banks and other institutions that deal in financial data, the IRS requires users to identify themselves with an elaborate combination of credentials on its online services to minimize the risk of unauthorized access. Except instead of usernames and passwords, its “Get Transcript” application uses personally identifiable information such as Social Security Numbers, which ended up backfiring.

The hackers responsible for the breach apparently obtained the details of their victims sometime in the run-up to the attack from an unspecified “non-IRS” source, according to the official statement from the agency, which opened the cryptographic gates wide open. From there, all that had to be done was download their victims’ tax transcripts.

That information will most likely be used for phony refund requests, an increasingly common type of fraud that resulted in the theft of an estimated $6 billion dollars from government coffers last year. However, as alarming as that is, the attack could have been much worse. The IRS stated that only half of the roughly 200,000 malicious log-in attempts that its engineers detected have been successful, but that should come as little comfort to the 100,000 people whose personal information was compromised.

To mitigate the chance of that happening, the IRS is offering free credit monitoring to the victims of the breach (and won’t require personal details to verify eligibility, the statement stressed) in addition to other percussions. That diminishes the risk of fraud somewhat, but doesn’t take away from the worrying simplicity with which the hackers managed to gain access to such sensitive information.

With a newly published study from IBM revealing that nearly a third of breaches are the result of system glitches, it’s clear there’s much work to do in order to meet modern security requirements. That’s just as true for enterprises as the IRS.

Photo Credit: subcircle via Compfight cc