NEW YORK (TheStreet) — There is good news hidden in the recent reports of an Internal Revenue Service hack — the IRS did not suffer a breach, and only 100,000 taxpayers appear to have been victimized — but then there may also be the worst news ever to come out of a cyber crime, putting us all in the crosshairs.
The IRS has not talked specifically about what criminals used the stolen tax returns for in rooting though government computers from February through mid-May, but many security experts suspect they filed fake returns in the victim's name, probably seeking a refund of many thousands of dollars. "I'd guess they are using the information to file tax returns," says Tom DeSot, CIO of Digital Defense.
But as Christopher Budd, a security expert with Trend Micro, explains: “It seems to me we now can believe there are criminal versions of legitimate credit reporting agencies, and your information may be for sale.”
Experts had wondered why there had been no apparent use of information stolen in big recent health insurer breaches — notably Anthem and Premera — and this kind of use may be exactly where those data show up, because in many cases there are enough details gathered to let criminals answer security challenge question. “What we are seeing in the IRS data theft is a sophisticated campaign, to gather and collate information about people,” Budd says.
Ken Levine, CEO of Digital Guardian, has similar fears: “Data is being appropriated and used post the initial breach,” he says “What makes this sinister is that the criminal element is finding other use cases for breached data. This ups the stakes.”
This is not breathless fear mongering. The clues are in what the IRS has said about how criminals appear to have gotten 100,000 taxpayer files and — notably — were foiled in another 100,000 attempts.
The IRS’ so-called "get transcript" application lets people retrieve their tax information after answering questions about such things as Social Security numbers, dates of birth, past tax filing statuses and addresses. “The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer,” the IRS says.
There is no indication the criminals got their information from IRS sources. Rather, they appear to already have the information in hand when they accessed the IRS system.
That, Budd suggests, is the problem: Apparently the criminals had built up dossiers that let them succeed in half their attempts to grab tax returns and there now is so much information online — some stolen in recent breaches, for instance, but much of it voluntarily posted by us on Facebook and similar venues — that it has become comparatively straightforward to answer even intimate questions about others.
“It looks as though an organized crime syndicate has created a large database,” says Jim Treinen, vice president of security research at ProtectWise. “We have seen similar attacks before, but not at this scale. This is new.”
Early indications are that the IRS attacks originated in Russia. That has not been corroborated by the IRS.
Perhaps most troubling is that “this will haunt victims for a very long time,” DeSot says.
“Attackers look for [a return on investment]. They will use information to exploit the highest value target,” Treinen says.
The IRS has said it is mailing a letter to the 200,000 involved accounts and will provide free credit monitoring to the 100,000 known victims.
But that is not the end of this story.
“This is showing there are other monetization strategies for stolen data that could be years in the making,” Levine says.
Much of the stolen information also is very long lasting — victims cannot easily change Social Security numbers, for instance. And, worse, the stolen tax returns may also have included Social Security numbers for dependent children, says Washington, D.C., private investigator Philip Becnel at Dinolt Becnel and the Wells Investigative Group.
Becnel advises victims to freeze their credit reports immediately, so others cannot see it. That means that in most cases new credit will not be issued, short-circuiting attempts at identity theft. Experts also advise using a credit monitoring service, as the IRS is offering. Useful as that may be, experts also said that for affected consumers their only self-defense is long-term monitoring of their accounts, because criminals now have all the information needed to target them for identity theft for years to come.
“I would leave that credit lock on for quite some time,” Becnel says.