The US Internal Revenue Service (IRS) is in the process of notifying an additional 220,000 tax payers after finding that a cyber attack on its computer systems revealed in May is worse than previously thought.
The attack resulted in the loss of taxpayer account information, including social security numbers, home addresses and financial information, after hackers targeted a Get Transcript feature on the IRS website used by customers to view tax account details.
The IRS originally identified over 100,000 taxpayers whose accounts were accessed, but further investigation revealed that the number is significantly larger than initially disclosed.
"The IRS is moving aggressively to protect taxpayers whose account information may have been accessed. The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to Get Transcript taxpayer account information," the department said.
Some of the data stolen by hackers may have been gathered in order to file fraudulent tax returns in the upcoming 2016 filing season, the IRS warned.
"Anyone receiving a letter should take steps to protect themselves by taking advantage of the free credit monitoring and identity protection Pin which can be used to verify the authenticity of next year's tax return," it said.
The IRS is also sending letters to an additional 170,000 households that could be at risk, even though hackers failed properly to access their account details in the breach.
"Given the uncertainty in many of these cases - where a tax return was filed before the Get Transcript access occurred, for example - the IRS notices will advise taxpayers that they can disregard the letter if they were actually the ones seeking a copy of their tax return information," the IRS said.
The IRS analysed more than 23 million uses of the Get Transcript system as part of the deeper investigation, and is now offering free credit protection and identity protection Pins.
"The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for Get Transcript, including by enhancing taxpayer-identity authentication protocols," the department said.
V3 has contacted the IRS for additional comment.
Leo Taddeo, chief security officer at Cryptzone and former special agent in charge of the Cyber Division in the FBI’s New York Office, warned that the case shows how easy it is for cyber criminals to bypass password protection.
"Even security questions such as 'what was your high school mascot?' pose no real security challenge in an era when many people post the details of their lives on social media. It definitely shows the need for network defenders to go beyond user names and passwords to protect sensitive data," he said.
Simon Crosby, co-founder and chief technical officer at security firm Bromium, added that the IRS hack was the "last big piece in the puzzle" for nation state actors seeking to construct a detailed map of US society.
"It seems they partially succeeded in this attack. But they will be back," he said.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal