Attackers using malware and stolen personal information managed to generate 101,000 e-filing PIN numbers, according to the IRS. Affected taxpayers will be notified by mail, and their accounts will be monitored.
The attack, which happened last month, was carried out by attackers who already had access to the Social Security Numbers (SSNs) of 464,000 people, according to the IRS. An automated system, detected by the IRS, managed to generate 101,000 e-filing PIN numbers before the scheme was shut down.
The attack was revealed to the public yesterday via a statement from the IRS, which briefly outlined what happened.
“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers,” said the statement. “An E-file pin is used in some instances to electronically file a tax return.”
The IRS was quick to state that “no personal taxpayer data was compromised or disclosed by IRS systems,” and that the attackers had access to the SSNs prior to the attack. In essence, having access to the SSNs is what made the attack effective.
There’s a massive amount of leaked personal information available in online black markets, including databases of leaked SSNs. Would-be fraudsters are always looking for new ways to monetize this purloined data. And this is an example of turning raw materials — a database of social security numbers — into something potentially more lucrative — a database of working e-file pins. Stealing even a small fraction of that many people’s tax rebates would certainly be profitable, and seemingly valid e-file pins could go a long way toward making that possible.
The incident, which happened last month, was not related to last week’s brief IRS outage.
“IRS cybersecurity experts are currently assessing the situation, and the IRS is working closely with other agencies and the Treasury Inspector General for Tax Administration,” said the statement. “The IRS also is sharing information with its Security Summit state and industry partners.”
Online security is hard, but it is essential when it comes to tax data. Remember: keep personal information like your social security number to yourself, and never share it over email, IM, or social networks.