More than 100,000 people are about to get an unpleasant letter from the IRS, but it doesn't involve the word "audit." Instead, think cyber-theft. The agency said today that online criminals tapped into the information of 104,000 people though the IRS' popular "Get Transcript" service. As the AP explains, the service allows people to access their previous returns, and therefore it would allow cyber-thieves who gain entry to grab all kinds of personal information. CNN Money reports that the thieves used the data to claim at least 15,000 fraudulent refunds, but it adds that the greater danger is the prospect of identity theft—and the possibility of bogus bank accounts and credit lines, for example.
The IRS has shut down the service for the time being as it ramps up security. (The site Krebs on Security had warned of vulnerabilities at IRS.gov in March.) Still, Forbes explains that this wasn't a hack in the traditional sense. In order to get to the taxpayer information, the thieves were able to answer a slew of security questions—"out of wallet" information they likely gleaned elsewhere from sites such as Faceook. "So this isn’t an example of hackers exploiting a system vulnerability as much as it is a s-----, costly reminder that weak security questions can be dangerous," writes Kate Knibbs at Gizmodo.