The IRS disclosed in May that one of its applications had been breached by hackers, resulting in the theft of personal data for 100,000 taxpayers. Since then, the agency has disclosed the number of taxpayers affected is much higher – over 330,000 taxpayers have had their personal information stolen.
A report by Quartz details the story of one man, Michael Kasper, who was likely one of the more than 330,000 taxpayers who had their personal information stolen. The IRS has yet to confirm or deny whether Kasper’s tax fraud case was part of the larger hack. However, based on Kasper’s own investigation into the fraud, it appears to be the case. As the report notes:
“The story of Kasper’s tax return would eventually turn out to involve a bank account in rural Pennsylvania, a go-between on Craigslist, and a Western Union wire transfer to Nigeria. He was almost certainly one of the more than 330,000 Americans who fell victim to an audacious hack of the Internal Revenue Service (IRS), which was disclosed earlier this year.”
The breach was not a result of hackers utilizing innovative new software. Instead, as the report notes, they walked through the front door:
“The hackers didn’t use sophisticated malware or social engineering tactics—the hallmarks of many recent data breaches. Instead, they walked in through the front door of the IRS website, pretending to be regular people filing their taxes, and walked out with millions of dollars in fraudulent refunds.”
As the report notes, hackers managed to breach the “Get Transcript” system by using data they had obtained from other sources, likely through an automated system:
“In the first step, a user has to provide a Social Security number, date of birth, tax filing status, and street address, according to the IRS statement. The second step is a common identity-verification method known as Knowledge-Based Authentication, or KBA, and it involves a series of multiple-choice questions that ask the user about his or her credit history.”
Once they had breached the Get Transcript system, they filed fraudulent tax returns using the personal data within the system:
“In any case, once the hackers had successfully obtained taxpayers’ personal data, they now had to use it to create new tax returns. Comparing Kasper’s real return to the fraudulent one submitted under his name, it seems clear that this process—which involves filling out PDF forms and submitting them online—would have been automated too.”
As ATR previously noted, this data breach was entirely preventable. The IRS had been warned seven times by watchdog groups to strengthen their protection of sensitive data but the agency failed to implement nearly 50 recommendations.