Looks Like Russian Hackers Stole 100,000 Americans' Tax Returns Online

The Internal Revenue Service suspect that Russian hackers are the culprits who stole the tax records of at least 100,000 people this year, and—yep, you read that right. Russian hackers! If you’re getting déjà vu, that’s because this marks the third time in very recent history that US government websites have been preyed upon for their shitty security by “Russian hackers.”

Russian hackers were able to read President Obama’s emails due to a White House computer system breach, and in a separate embarrassment, Russian hackers accessed an unclassified Pentagon network. And now they’re suspected of the IRS debacle.


Reports on these incidents rarely get more specific than assigning blame to “Russian hackers,” which means that what could be completely separate crime rings are lumped together in the imagination as a sort of DIY cyber-KGB. But this isn’t a case where a brilliant cabal is outfoxing US security through dazzlingly sophisticated hacking techniques. We’re making “Russian hackers” look like shadowy Soviet geniuses because the security on government websites is such crap that it’s low-hanging fruit for thieves. There wasn’t even any hacking in the IRS situation, just plain old bad site security.

Rep. Peter Roskam (R-Ill.) described this most recent screw-up as especially disturbing precisely because the IRS wasn’t actually hacked at all. He said the so-called hackers “went in the front door of the IRS and unlocked it with the key.”

It’s beyond time for the IRS to make a better lock, and hopefully this humiliating string of breaches will spur a government initiative to be less awful at cybersecurity.



Thieves Used an Online IRS Service to Steal Info from 100,000 People

Paying taxes is generally an unpleasant time. But the baseline misery of siphoning cash back to bureaucrats sounds downright delightful compared to getting straight up robbed, which is what happened to a lot of people this year. The Internal Revenue Service shut down an online tax filing program today after announcing that thieves breached the system to steal personal information from more than 100,000 people.

The IRS’ “Get Transcript” service was targeted by thieves from February to May. The IRS service wasn’t hacked; the thieves had already stolen or guessed enough identifying information from people to get through the IRS security questions. So this isn’t an example of hackers exploiting a system vulnerability as much as it is a shitty, costly reminder that weak security questions can be dangerous.


“We’re confident that these are not amateurs,” IRS Commissioner John Koskinen told the AP, which seems like an understatement.

An understatement, but probably not a surprise: Security researcher Brian Krebs pointed out how susceptible the IRS’ online services are to fraud back in March. Krebs spoke to a man who knew someone had filed a fraudulent tax refund using his information; the man suspected that the thief had used Get Transcript to steal his information.

Even though the IRS didn’t actually get hacked, its wonky security system made it damn easy for thieves to break in en masse. This incident shows how data leaks, breaches, and hacks can have a domino effect. The thieves didn’t even have to hack the IRS to penetrate its system, because they were able to hijack social security numbers and other sensitive information elsewhere. Since the IRS uses static security questions, once a thief has someone’s basic personal information, they can easily slip into the system and file false tax refunds, getting stolen money directly deposited into their accounts.


The IRS has launched a criminal investigation, and is informing people with affected accounts that they’ve been compromised. Perhaps it’ll consider creating a more dynamic security system to avoid bulk ripoffs like this again.

[AP | Ars Technica]

Contact the author at kate.knibbs@gizmodo.com.
Public PGP key
PGP fingerprint: FF8F 0D7A AB19 6D71 C967 9576 8C12 9478 EE07 10C