The US Internal Revenue Service (IRS) has revealed that around 330,000 US tax payers were affected by a data breach in May 2015, more than three times more than originally estimated.
The number of affected taxpayers may rise even further as the investigation into the breach continues, reports Ars Technica.
The IRS initially said hackers had used data from breaches of non-IRS sources to gain access to the agency’s Get Transcript feature from February to mid-May 2015 and harvest 100,000 records.
The hackers used the data to answer security questions in the multi-step authentication process used by the Get Transcript online service that enables US taxpayers to get copies of past tax returns.
The breach is believed to part of a planned larger campaign to make fraudulent claims for tax refunds using the stolen identities. The IRS said more than $5.8bn in fraudulent refunds were made in 2013.
The IRS initially reported that more than 200,000 attempts to access the Get Transcript service were made from “questionable” email domains, but has now said more than 600,000 attempts were made.
So far, the IRS has found that around 330,000 attempts were successful, giving the hackers access to enough data to make fraudulent tax refund claims or commit other fraud such as applying for credit.
The service was taken offline immediately after the breach was discovered, and it remains unavailable as the IRS continues its investigation.
IRS officials said that credit protection would be offered to taxpayers whose accounts were exposed.
They also warned that while several thousand fraudulent tax returns were filed for 2015, the attackers are believed to have been gathering data for the 2016 tax season.
The IRS has urged US tax payers to file their tax returns as soon as possible to reduce the possibility of fraudsters doing so first.
“These aren’t your run-of-the-mill independent hackers,” said IRS commissioner John Koskinen,
“We’re confident that these are not amateurs. These are organised crime syndicates that no only we, but everybody in the financial industry, are dealing with,” he added.
Commenting on the IRS breach in May, Tripwire senior security analyst Ken Westin said the incident highlighted that the internet has become a database of personal information, and that one breach can easily feed another.
“Unfortunately, the high number of large-scale data breaches has essentially transformed our personal information into public information; and this data should not be used as security or authentication checks,” he said.
According to security author Brian Krebs, the IRS breach should tell consumers something about the effectiveness of the technology the IRS, banks and countless other organisations use to screen requests for sensitive information.
This screening technology relies on “knowledge-based authentication” (KBA) questions, but as shown by the IRS breach, this can be beaten in around 56% of cases.
In December 2014, Krebs was able to find the name, address, Social Security number, previous address and phone number on all current members of the US Senate Commerce Committee.
“This information is no longer secret – nor are the answers to KBA-based questions – and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators,” he wrote in a blog post.
Providing strong online authentication is the main motivation behind the UK government’s Gov.uk Verify identity and access management service, which enables users to choose their preferred option of nine suppliers when verifying their identity.
The Government Digital Service launched the Gov.uk Verify service in 2014 as part of the its digital transformation of government services, to enable the public to access government services digitally and from one online location.
The Gov.uk Verify service improves the safety of online digital transactions with government, as the user’s personal data is not centrally stored and the identity provider cannot share to third parties without the user’s consent.
The Department for Environment, Food and Rural Affairs was the first to implement the scheme, to allow farmers to submit farm information and claim subsidies. HM Revenue & Customs followed with a trial of the service to help the public complete their online self-assessment tax returns. The government expects nearly 700,000 people to be using the Gov.uk Verify service to log in to digital public services by November 2015.