The U.S. Internal Revenue Service has increased its estimate of the amount of taxpayers affected by a security flaw to about 334,000:
The IRS says more taxpayers than it originally believed had their data stolen by hackers. The agency now says the total is now more than 300,000.
In May, when it first revealed the breach, the IRS reported some 114,000 taxpayers had their data stolen. But in what the IRS is calling a "deeper analysis" of the breach, it identified an additional 220,000 cases where hackers got access to taxpayer records. The agency says hackers tried, but failed to access the data of some 280,000 more taxpayers.
The hackers got into the accounts by clicking a link on the IRS website called Get Transcripts. The link allowed taxpayers to get copies of their own back tax returns to use, for example, in applying for loans.
The hackers, who the IRS believes may have been part of an organized crime syndicate possibly based in Russia, were sophisticated.
Previously: IRS Coughs up 100,000 Tax Returns to Thieves
Related Stories
Many news outlets seem to be carrying this story:
Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.
The thieves accessed a system called "Get Transcript," where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.
The Get Transcript site requires certain knowledge about past returns, most of which is guessable, such as a social security number, and other fairly accessible information. Complete records of prior year are returned via Email if the thieves succeed in providing enough screening items correctly.
Old tax records enable the thieves to go after refunds, not only for the current year, but future refunds as well. Having tax returns from prior years provide a wealth of information for future identify theft.
About 200,000 attempts were made, and about half of them succeeded. The system is currently shut down, and Congress is making stern sounds. But as yet the IRS does not know if these thefts were carried out by domestic or foreign thieves.
[Editor's Comment: Original Submission]
(Score: 2, Insightful) by Anonymous Coward on Monday August 17 2015, @08:49PM
The real number is always 3 times bigger/worse/more_expensive than originally offered.
Always.
(Score: 2) by Techwolf on Monday August 17 2015, @08:56PM
Does that mean I don't have to file or pay taxes if my records was stolen by the russions?
(Score: 2, Insightful) by nitehawk214 on Monday August 17 2015, @09:11PM
No, it means you will have to pay twice. And your identity is permanently compromised with no recourse to correct it.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by Techwolf on Tuesday August 18 2015, @12:51AM
Why? The russions stole the records. The IRS no longer has any record of me making any money. :-)
(Score: 0) by Anonymous Coward on Wednesday August 19 2015, @12:02AM
> Does that mean I don't have to file or pay taxes if my records was stolen by the russions?
The most likely use of this data is to file bogus refund claims - so instead of you getting a refund, the criminals route it to themselves. That is, by far, the most common use for these sorts of records, at least currently. If you aren't owed a refund, no big deal. If they scooped your refund, the IRS will eventually send you yours, its just going to be a hassle getting it all straightened out.
(Score: 1, Insightful) by Anonymous Coward on Monday August 17 2015, @09:05PM
The SSN is completely compromised. When is the gov going to replace it?
(Score: 1) by nitehawk214 on Monday August 17 2015, @09:12PM
Isn't there a law that says companies cannot use SSN to identify customers/clients? Of course this does not apply to government agencies themselves.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 1) by Delwin on Monday August 17 2015, @09:46PM
... you do realize that the whole point of the SSN is for the IRS to track you? That's why no one else is supposed to use it.
(Score: 2) by c0lo on Monday August 17 2015, @10:29PM
Huh? You know my username on SN, so does it mean you can post in my name?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by FatPhil on Tuesday August 18 2015, @07:33AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by c0lo on Monday August 17 2015, @10:25PM
Compromised as what? As user identity (same as username), no thank you, it's fine. As authentication token (same as password) it was never secure - stupid for someone to think it was.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday August 17 2015, @11:34PM
I know compromised was a bad choice. But the gov needs to make it 'clear' this number is now 'useless'. All the other companies using it will quickly follow suit. They need to then follow it up with 'we will sue if you use it for anything other than social security'.
They need to acknowledge identity theft is real. They need to make it easy to become uncompromised. Instead they turn a blind eye and enable thieves to ruin thousands of peoples lives per year.
(Score: 2) by darkfeline on Monday August 17 2015, @11:34PM
>stupid for someone to think it was
I guess that confirms it then, most people (companies/organizations) are stupid. Next you'll tell me that fingerprints aren't good authentication tokens either, meaning that most iPhone users are stupid.
Join the SDF Public Access UNIX System today!
(Score: 2) by c0lo on Tuesday August 18 2015, @12:59AM
Almost goes without saying, a fingerprint is so easily to duplicate that even instructables [instructables.com] carry a howto.
Except that I'd amend that by saying Apple is stupid** to provide a mean to scan fingerprints and use them as an auth token and some of the iPhone users may be stupid to do it.
--
** Dang the Hanlon Razor's, let's say is straight: Apple is malicious in doing it - hunts the easy buck and lure its users into lack of security.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by frojack on Monday August 17 2015, @09:25PM
According to the CBS link:
In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address,
So this may be a secondary hack, and there must have been a prior hack where the "Knowledge" sufficient to get past the "security screen" was obtained. Granted if you know someone's ssn, you can probably find DOB on line somewhere, and maybe street address, but filing status might be something you have to guess at, (there aren't that many choices, and public records contain enough info for an educated guess).
No, you are mistaken. I've always had this sig.
(Score: 1, Interesting) by Anonymous Coward on Monday August 17 2015, @10:47PM
Not really. The way SSNs are assigned is by geography and date. That gives you the general area and whatnot. Also, even without those leads they provided most of the data needed to do that, until very recently, was provided on the IRS website in the form of W-2s.
But, I do think you are right. This is probably a consequence of the TurboTax hack. That bar was lower (it relied on knowing info on a multiple choice quiz, which you could take repeatedly) and would have provided hints necessary to get even more people (dependents claimed in the past but not now) and the tax transcript would finish the job.
(Score: 2) by frojack on Monday August 17 2015, @11:09PM
That's the way SSNs USED TO BE assigned, but this is a mobile nation, and people worth hacking don't live in their birth-town for the rest of their lives.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday August 18 2015, @12:34AM
> That's the way SSNs USED TO BE assigned, but this is a mobile nation, and people worth hacking don't live in their birth-town for the rest of their lives.
But birth notices do remain.
And then there are huge repositories of personally identifiable information at geneology websites. [familytreemagazine.com] Even if you personally didn't hand over your info, some helpful, naive grandmother probably did it for you.
(Score: 3, Interesting) by PizzaRollPlinkett on Tuesday August 18 2015, @10:57AM
I want every single identity to be stolen for every person in the USA so the current broken system will have to be fixed. Unless the pain point is reached where this affects everyone, nothing will be done.
(E-mail me if you want a pizza roll!)