Details About 100,000 Taxpayer Accounts Stolen From IRS

Hackers took the bait


Matthew G Bisanz

I've written before that personal data the Internal Revenue Service requires taxpayers to submit and then stores in haphazard fashion is essentially hacker bait. Amidst routinely terrible security practices, IRS employees have stolen data themselves, inappropriately browsed it for amusement, and sometimes just lost it (PDF). Such slips and abuses are inevitable given the vast quantity of sensitive data accumulated by tax collectors.

"[T]he vast databases held by the IRS, HHS, security agencies, etc, will be leaked on purpose, leaked because of bureaucrat sloppiness, or be hacked. The more they collect, the more that will eventually leak." Chris Edwards, director of tax policy studies at the Cato Institute, predicted to me last year. That "eventually"—at least, the latest round of it—is now. Today, the IRS annouced a little data mishap.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS' "Get Transcript" application. This data included Social Security information, date of birth and street address.

Whoever stole the information made it through the IRS's "multi-step authentication process" from February to mid-May of this year, apparently already possessing enough information to answer personal questions in order to access the full records. Officials have now shut down the Get Transcript application for the time being, and are contacting affected (or afflicted) taxpayers.

Which should tide things over until next time.

H/T: Charles WT