According to the Internal Revenue Service (IRS), over 300,000 taxpayers have fallen victim to the “get transcript” scam and have had their personally identifiable information stolen:

In March 2015, I warned readers to Sign Up at IRS.gov Before Crooks Do It For You — which tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Two months later, IRS Commissioner John Koskinen publicly acknowledged that crooks had used this feature to pull sensitive data on at least 110,000 taxpayers. Today, the Associated Press and other news outlets reported that the IRS is now revising those figures, estimating that an additional 220,000 potential victims had Social Security numbers and information from previous years’ tax filings stolen via the IRS Web site.

“In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns,” the AP story notes. “They were successful in getting information from about 334,000 taxpayers.”

The IRS never uses this method for contacting people so there is absolutely no reason to fall victim to such a scam.

President Obama has asked for a 72% increase in cyber security funding for the IRS so they can effectively combat tax return identity theft:

Following raids on taxpayer coffers by identity thieves, the Obama administration would like to push $242 million into agency data analysis, IT controls, and victim support, among other things, according to new detailed spending figures.

In May, IRS officials disclosed that ID thieves gamed an IRS online tool to pull sensitive financial data on 100,000 taxpayers and ultimately claim about $39 million in their names. The tax agency unplugged the service, called Get Transcript, and it remains offline.

With new money, “the IRS would take especially aggressive steps to fight identity theft and stolen identity refund fraud,” budget documents state. “These include systems improvements and new information sharing with states and industry to help detect and prevent identity theft before tax refunds are paid.”

USA Today writes how the recent IRS breach has allowed cyber criminals to steal up to $39M by filing fraudulent tax returns based on personally identifiable data exfiltrated in the attack:

Cyber-thieves responsible for a large IRS data breach stole as much as $39 million by filing fraudulent tax refunds after gaining access to taxpayer information, the head of the nation’s tax agency told Congress Tuesday.

IRS Commissioner John Koskinen provided the updated damage estimate on the embarrassing data breach initially made public last week and said federal tax officials are working with private tax-preparation firms in an effort to strengthen U.S. tax system security.

However, the federal inspector general who oversees the IRS predicted the agency could face additional computer attacks as preliminary investigation results show the cyber-thieves were part of an effort operated from Internet domains in Russia and other countries.

“For now, our biggest concern is for the affected taxpayers, to make sure they are protected against fraud in the future,” Koskinen told the U.S. Senate Committee on Finance, saying tax officials are contacting those affected and helping them secure their personal data.

Someone needs to be fired for such obvious negligence, and allowing a breach of this magnitude to happen.

Patrick Thibodeau of Infoworld on the IRS cutting its cyber security staff by 11% over four years yet increasing overall spending on cyber security:

The Internal Revenue Service, which disclosed this week the breach of 100,000 taxpayer accounts, has been steadily reducing the size of its internal cyber security staff as it increases its security spending. This may seem paradoxical, but one observer suggested it could signal a shift to outsourcing.

In 2011, the IRS employed 410 people in its cyber security organization, but by 2014 the headcount had fallen by 11 percent to 363 people, according to annual reports about IRS information technology spending by the U.S. Treasury Department Inspector General.

Despite this staff reduction, the IRS has increased spending in its cyber security organization. In 2012, the IRS earmarked $129 million for cyber security, which rose to $141.5 million last year, an increase of approximately 9.7 percent.

If the IRS cut their cyber security staff while increasing overall cyber security spending, they are relying on either a managed security service or a lot of automation for their alerting. The former is the likely answer, although knowing how the US government functions, it would not surprise me if it were the latter: do more with less.

The Associated Press reports on the IRS tracing the identity thieves to Russia, a country commonly known for their penchant to conduct cyber-based criminal activity:

But two officials briefed on the matter said Wednesday the IRS believes the criminals were in Russia, based on computer data about who accessed the information. The officials spoke on condition of anonymity because they were not authorized to publicly discuss the ongoing investigation.

The revelation highlights the global reach of many cyber criminals. And it’s not the first time the IRS has been targeted by identity thieves based overseas.

In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency’s inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are innovating as well.

The information was taken from an IRS website called “Get Transcript,” where taxpayers can get tax returns and other tax filings from previous years. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address.

No surprises here.

Cory Bennett of The Hill discusses how the IRS cyber theft tactics could work at any United States government agency:

The IRS revealed Tuesday that cyber crooks, likely backed by an organized crime syndicate, had accessed returns for roughly 104,000 taxpayers through the agency’s “Get Transcript” feature.

The scheme appeared to be part of a larger plot to file fraudulent tax returns and collect illegitimate refunds.

But the digital thieves didn’t actually break into the IRS’s database. They simply imitated individuals using information culled from the vast trove of personal data being traded on the dark Web after numerous company data breaches in recent years.

Any federal agency with valuable data could fall victim to the same maneuver, experts explained.

“The possibility of the same tactic being reprised at other agencies that have public-facing missions, I think, is very high,” said Jim Penrose, a former head of the National Security Agency’s Operational Discovery Center and now an executive vice president at cybersecurity firm DarkTrace.

It is absolutely true. The US government has a fairly standard cyber security posture across the board, and is likely open to the same types of attacks no matter what agency we are talking about with the one possible exception being the Department of Defense.

Katie Kuehner-Hebert of CFO Online on the IRS being hacked and tax records for 100,000 people being remotely accessed:

Amid increasing concern over the security of Internal Revenue Service computer systems, the agency has disclosed that hackers accessed the personal tax data of more than 100,000 taxpayers in an effort to claim fraudulent refunds.

The IRS said it had determined late last week that “unusual activity” had occurred on its online service called Get Transcript, where filers can get tax returns and other filings from previous years.

The hackers used the personal data of taxpayers — including Social Security numbers, dates of birth, and street addresses — to clear a security screen and log on to Get Transcript, the IRS said.

The service has been shut down temporarily and the security breach is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ criminal investigation unit. The IRS will provide free credit monitoring services for the affected taxpayers whose accounts were accessed, including those for which the hackers couldn’t clear all the authentication hurdles.

I find myself somewhat unsurprised this happened considering how government agencies generally approach their own internal-facing cyber security postures.