Remember that awful news of Russian hackers stealing the personal information of 100,000 taxpayers? Turns out the Internal Revenue Service lowballed the number. The agency now says that over 600,000 people were targeted with 300,000 unlucky persons losing their data privacy completely.
This is disconcerting, but it’s not surprising. Months before the massive attack was discovered, security researchers reported how unbelievably easy it was to hack into the IRS website and steal personal information. And then, someone actually did it by exploiting a vulnerability in the “Get Transcript” service between February and May of this year. Naturally, the IRS conducted an investigation. That took three months. Now, the findings show nearly a quarter million more households “where there were instances of possible or potential access.” Add the original 100,000 to the reports 220,000 households, and you get 320,000.
That’s a lot of innocent bystanders that can now count themselves as victims of the government’s losing war on cybersecurity. The problem isn’t so much that hackers stole everybody’s tax returns; they didn’t. The IRS says that the number of people whose tax returns were targeted are in the thousands, not the hundreds of thousands.
The problem is that as many as 320,000 people now have their personal details, like social security numbers, date of birth, and addresses, out on the open market where it will be bartered and sold. Eventually someone could gather enough details to apply for credit cards or buying used Jet Skis on eBay or whatever they want to do with someone else’s money.
What’s worse is that the information has been out there for months, and the IRS is just getting around to alerting the victims. Then again, we’ve known for a long time that they’re not good at this computer security stuff. You might just want to file a paper return next year.
[WSJ]
Image via Getty
Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22