NEW YORK (TheStreet) — There is good news hidden in the recent reports of an Internal Revenue Service hack — the IRS did not suffer a breach, and only 100,000 taxpayers appear to have been victimized — but then there may also be the worst news ever to come out of a cyber crime, putting us all in the crosshairs.
The IRS has not talked specifically about what criminals used the stolen tax returns for in rooting though government computers from February through mid-May, but many security experts suspect they filed fake returns in the victim's name, probably seeking a refund of many thousands of dollars. "I'd guess they are using the information to file tax returns," says Tom DeSot, CIO of Digital Defense.
But as Christopher Budd, a security expert with Trend Micro, explains: “It seems to me we now can believe there are criminal versions of legitimate credit reporting agencies, and your information may be for sale.”
Experts had wondered why there had been no apparent use of information stolen in big recent health insurer breaches — notably Anthem and Premera — and this kind of use may be exactly where those data show up, because in many cases there are enough details gathered to let criminals answer security challenge question. “What we are seeing in the IRS data theft is a sophisticated campaign, to gather and collate information about people,” Budd says.
Ken Levine, CEO of Digital Guardian, has similar fears: “Data is being appropriated and used post the initial breach,” he says “What makes this sinister is that the criminal element is finding other use cases for breached data. This ups the stakes.”