If you can’t trust the government to keep your data safe, who can you trust?
Thousands of U.S. taxpayers are anxiously waiting to find out if thieves had accessed their personal and financial data after the Internal Revenue Service said Tuesday that a “sophisticated” organized crime syndicate had targeted one of its online tools.
The thieves accessed records on more than 104,000 taxpayers, which were used to claim refunds totaling no more than $50 million—many of which had later been voided.
IRS commissioner John Koskinen played down the data leak. “Our basic information is secure,” he said at a Tuesday press conference. “This is just the latest manifestation of people getting enough data to masquerade as a taxpayer.”
Though a massive amount of data were leaked, IRS systems were not breached. The agency said in a statement that late last week, thieves flooded the tax agency’s online “get transcript” tool—where taxpayers can download their past tax records, often to use in mortgage or loan applications—with valid taxpayer information. A lapse in how the tool checked user identities meant that the tool accepted some basic personal information, such as a Social Security number, date of birth, and address, along with personal questions you might not think twice about, such as your mother’s maiden name and where you went to high school.
As was clearly the case, it barely took the data thieves much thought, either. About 200,000 requests were made—half of them were successful—before the IRS shut down the tool.
Without a server breached or a website downed, the bigger question remains: Exactly how did thieves get enough data to impersonate taxpayers in the first place?
Security experts believe that years of data breaches and targeted hacks have left enough available data out in the wild—on underground forums and the “dark web,” the term for the parts of the web not yet indexed by popular search engines—to launch the attack.
In the past year, a number of major data breaches at financial, healthcare, and retail industries have led to the exposure (and in some cases sale) of hundreds of millions of Americans’ records. Many of those records include Social Security and credit card numbers, financial details, and username and password data.
Sol Cates, chief security officer at data security firm Vormetric, tells Fortune that data breaches from the past “continue to haunt people long after the actual event.”
“In [the IRS’] case, hackers leveraged previously stolen Social Security numbers to both access previous year’s tax data and to fraudulently apply for tax returns,” Cates says. “The social security numbers could have been stolen, or purchased from a black market site, at any time before the attack was started.”
Some critics argue that the IRS should have taken preventative measures when it had the opportunity. Jeff Williams, chief technology officer at Contrast Security, says if hackers were able to figure out how to trick the IRS’ systems into thinking they were legitimate users, the tax agency should have, too.
“The IRS decided that if you know a person’s Social Security number, birthday, and street address, then you must be that person,” says Williams. “Hackers figured this out and started scanning for people’s tax records.”
Lawmakers similarly were far from pleased. Sen. Orrin Hatch (R-Utah), chairman of the Senate Finance Committee, called the leak “simply unacceptable” in a statement. “What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves,” he added. (His office did not respond to a request for further comment.)
Moving forward, experts say that solutions must focus on identity, rather than strictly cyber security. “It would be useful to invest in cyber security, instead of [rely on] some of the legislation that government is currently pursuing,” Williams says. “Cyber security sharing laws are not going to help against anything except the most ham-fisted broadly targeted scans, which aren’t much of a threat anyway.”
Veteran hacker and security researcher Dan Kaminsky agrees. There is a need to be able to properly identify people online, he says, but nobody has yet proven to be trustworthy enough—especially since former National Security Agency contractor Edward Snowden revealed in 2013 just how much data the U.S. government vacuums up on its own citizens.
“There is a rising tide of easily available personal information,” Kaminsky says, “and in that tide is more and more data that was assumed to be private enough to authenticate a user against.”