IRS: Personal Info of 100,000 Taxpayers Accessed Illegally

An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.

DoB, SSN & Filing Status??

[CrimsonAvenger]

That's all the ID the IRS requires to use their "secure" site???

Jaysus, you can get most of that (SSN & DoB) by looking at someone's Driver License in most States.

And guessing Married Filing Jointly will work more often than not, I expect....

Re:DoB, SSN & Filing Status??

[Charliemopps]

That's all the ID the IRS requires to use their "secure" site???

Jaysus, you can get most of that (SSN & DoB) by looking at someone's Driver License in most States.

And guessing Married Filing Jointly will work more often than not, I expect....

I know, it's hilarious. These agencies/companies get hacked due to their own willful negligence... then scream "Hackers did it!" like hackers have magic hacking wands that turn servers inside out. It seems that the only piece of info that would have been remotely hard to get was filing status... which the "hackers" just guessed at. It looks like they were 50% successful, and I bet if compared with the victims filing status, they likely had a 50% chance of filing jointly or something. What a joke. This is completely and entirely the IRS's fault.

Make a new law, if you get hacked, you have to pay the person whos data you lost $100,000. Problem solved. You can then decide if spending time on securing the data is worth it, or if you just want to not store it. It IS possible to prevent this sort of thing. These agencies and companies just don't think it's profitable to do so when the penalty for losing a persons info is nothing more than a press release.

Re:DoB, SSN & Filing Status??

[ShanghaiBill]

No-one should have your SSN beyond the government.

That is silly. The original point of SSNs was so that employers could use them to identify workers when paying social security taxes to the government. So, obviously, your employer needs to know it.

We need to get away from the ridiculous idea that something can be both widely known and secret. SSNs should only be used for identification, and should never be used for authentication. We should have a separate system for that.

Contradictory information

In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address.

In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.

Email doesn't go through a "security screen". Do they mean "questionable IP addresses" rather than "email domains"?

Mad Lib

[Voyager529]

[NEWS_OUTLET] reports that an online service provided by [ORGANIZATION_WITH_PERSONAL_DATA] was used to gather the personal information of [CUSTOMERS_OR_USERS]. Criminals were able to scrape [INSECURE_SYSTEM] to acquire [SUPPOSEDLY_SECURED_INFORMATION]. The system has been shut down while [OVERPAID_AND_INCOMPETENT_ANALYSTS] investigate and [PROMISE], and they're notifying [CUSTOMERS_OR_USERS] whose information was accessed.

At this point, you can turn this story into a Mad Lib, and fill in the blanks with basically any set of nouns, and it'll mostly be true.

Very Serious

This is actual even more serious than it sounds since the IRS basically gave the criminal a mean of mass validating their existing data. They have in effect proven valid SSN/Birthday pairs now ready to be used and abused.

It's not just the IRS

[Sir_Eptishous]

Yea, /. had a story about the IRS and SS sites a while back.
Make sure your log in and create an account for the Social Security Administration too.

It really is getting ridiculous how frequent this shit is happening now.
It's almost to the point where people don't even pay attention:
"Oh wow, another big financial institution got hacked... Another fifty million Americans data is in the hands of criminals... What can we do about it?"

The average American is at their wits fucking end trying to keep up with all their accounts, passwords, blah diddy fucking blah shit they have to keep track of. For most of us this isn't an issue, but you can guarantee that for the vast majority of Americans, they are flying blind when it comes to all various requirements for being secure online. Oh, and lest I forget(how could I?) all of these security problems we encounter daily are always for convenience of the user(Trust Us!). Convenient apps/plugins/sites/tools to make your life easier:
"Isn't your life easier with our no security, pro-hacker enabled widget? Why, within a matter of moments of using our widget your personal data, financial data and medical data will be in the hands of our trusty hacker/malware infested servers in DerkaDerkaStan, where our trusty staff of well trained consultants will bleed you dry before you can click the X in the upper right hand corner. Why, to deny such a widget would be an affront to America, to the very meaning of Freedom and Capitalism!"

To be less hyperbolic, think of what it takes to have even a modicum of security online. We've got to have hardened browsers(NoScript, AdBlock, etc), we have to have different id/pw combinations for all important sites(that one really messes with people...), we have to have an account with a credit monitoring/credit agency(Equifax, etc) to monitor our financial accounts, we have to have up to date settings, firmware on our DSL/Cable modems, we have to have our OS security settings correct, AV/AntiMalware, etc, etc, etc

Have fun with all that, average American(it's bad enough for "advanced" users).