IRS Hack Exposes 100,000 Taxpayer Records

Users of the Internal Revenue Service’s Get Transcript service are at risk for identity theft after hackers accessed tax records belonging to more than 100,000.

Users of the Internal Revenue Service’s Get Transcript service are at risk for identity theft after the agency reported today that personal records belonging to more than 100,000 taxpayers had been accessed by hackers.

Get Transcript is unavailable currently on the website; the service provides users with tax account transaction information, line-by-line tax return information or wage and income reported to the IRS for a given year.

The Associated Press reported this afternoon that tax returns and other tax information on file with the agency were accessed. The attackers, the IRS told AP, had access to the system from February to the middle of this month, and beat security checks that require a user to enter personal information such as Social Security numbers, dates of birth, tax filing statuses and street addresses. A criminal investigation is under way.

“The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure,” the IRS said in a statement provided to AP.

The report adds that 200,000 attempts to access the service were made from “questionable email domains.” More than half of those attempts were successful in getting past authentication checks.

The agency added that the attackers already were in possession of personal information belonging to the affected taxpayers; the IRS said it is notifying those affected.

Suggested articles


  • Khürt Williams on

    The headline indicates the IRS was hacked. Is that what really happened?
    • Kurt R on

      Well, when someone successfully logs into a system by entering the information the system requests, it is hard to call it an outright hack. It is more precise to say their site was brute-forced. Mitigations for brute forcing attempts include locking an account out for a particular duration, or indefinitely, when the system detects that someone is trying to force their way into the account by submitting guess after guess until they get the right value. Whatever the IRS does to mitigate this vulnerability, I hope it is finally clear that they must do something. This is not the first time the IRS has discovered its protections are not good enough.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.