The IRS announced that more than 100,000 taxpayers accounts were compromised by hackers. But as government institutions are increasingly targeted by cybercriminals, will citizens' data continue to be vulnerable?
The US Internal Revenue Service (IRS), the authority tasked with tax collection and tax law enforcement, announced on Tuesday that more than 100,000 taxpayers' accounts had been compromised by a hacking operation lasting three months.
The tax collection agency said that the "malicious actors acquired sensitive data from a source outside the IRS" in order to gain access to taxpayer account information through the agency's "Get Transcript" application.
"These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authenitication process, including several personal verification questions that typically are only known by the taxpayer," the statement said.
The IRS said it would be notifying a total of 200,000 taxpayers targeted by the attack within the coming week and would offer "free credit monitoring services" for the more than 100,000 people who actually had their confidential data compromised.
"As always, the IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen protocols," the agency said.
However, the data breach was not detected until "mid-May" despite having initially begun in February 2015, allowing the hackers to access taxpayer information for a period of three months. Although only half of the more than 200,000 accounts had been accessed, the incident casts doubt over the US government's ability to protect citizens' sensitive data from cybercriminals.
The US Government Accountability Office (GAO), which monitors the practices and procedures of government agencies, published a report in March 2015 detailing "significant deficiencies" at the IRS in properly implementing security protocols. Similar criticisms were also found in the GAO's 2013 and 2014 IRS audit reports.
Greg Wilshusen, director of Information Security at the GAO, told DW that security vulnerabilities had been discovered after auditing IRS information security controls. However, Gilshusen said he could not make "any assertions" regarding the "Get Transcript" application, since it had not been directly assessed by the GAO.
"But what we noted at the time of our review is that the IRS did not consistently follow its security risk assesment process when implementing interactive tools," Wilshusen said.
Other agencies 'susceptible to attack'
The incident comes a month after US President Barack Obama asked tech companies to "partner" with the government in tackling cybercrime. Cyber attacks against government institutions have increased significantly since 2005.
"Other [government] agencies are also susceptible to attack. And I would say probably every agency is susceptible to a sophisticated attack, even those that have good security controls," Wilshusen said.
Security firms, hackers, and the National Security Agency (NSA) are conducting what they call "reverse engineering" of existing software in order to identify vulnerabilities, which "may not be publically known," Wilshusen told DW, adding that these vulnerabilities could then be exploited.
"There are a number of steps that need to be put in place to help manage the risk because agencies are not going to be able to eliminate that risk of cyber attack or cyber instrusion," Wilshusen noted.
Beyond the breach
Carsten Maple, director of Cyber Security Research and a professor of cyber systems engineering at the University of Warwick in Britain, told DW that governments are "constantly" under attack, especially due to the value of "big data."
However, Maple noted that, in the case of the IRS hacking incident, the information needed to access the senstive data was available through other sources.
"The social security numbers are needed to get in illegitmately into the system. Of course, we give away that kind of information to many different sources, sometimes voluntarily. You give it to your company, for example. That just exacerbates the number of sources your information can be accessed from," Maple told DW.
Maple added that it is common for cybercriminals to target one account in order to compromise others, especially when passwords are shared across platforms. As a result, one compromised target can affect many others. But the difficulties lie in the aftermath of a security breach.
"Once information is accessed, it can be put on the Internet effectively for free, just somebody doing it to show that they could. That has happened. Or it could be on the darker web for sale. That is really difficult to overcome. And that is what we've got to recognize, that it isn't just that single system. It's other data that is available."