
IRS says thieves stole tax info from 100,000 - davidlago
http://www.washingtonpost.com/politics/apnewsbreak-irs-says-thieves-stole-tax-info-from-100000/2015/05/26/ca17bcbc-03e2-11e5-93f4-f24d4af7f97d_story.html
======
patja
I started "working" a few hours a week teaching programming at my kids'
school. When they put me on the payroll I was astounded by the number of forms
I had to fill out. I counted 15 forms requiring my signature, no less than 5
of which required my SSN.

Lo and behold, there was a data breach of employee and volunteer records.
Volunteers had to have background checks, which required the SSN. Thousands of
people had their IRS return hijacked due to this breach. I personally know
dozens of people who were impacted.

From what I've seen of their information security, I remain completely
unsurprised that they had this breach and that to this date they have no idea
how it happened.

~~~
josu
You can look at it from the other side too, maybe Americans are putting too
much weight on the SSN. I could practically post my Spanish ID number next to
my name online and nothing would probably happen. As a matter of fact, a
stupid regional government agency posted it next to my name in 2011 and it's
been up ever since.

~~~
joering2
If you properly protect your security number, which requires some monthly
commitment (such as $15 lifelock, or freecreditreport $5 per month), you can
pretty much post your SSN online and really not much will happen. Any time
someone uses it, you will get the alert and chance to act (stop the inquiry
before it hit hard).

It just that most people believe that not making their SSN public is enough
for it to be safe.

~~~
__z
1) There are free sites to monitor your credit such as Credit Karma. No need
to pay hundreds a year. They even send out emails whenever you open up a new
line of credit. Lifelock is a huge scam and has been fined by the FTC.

2) Just being alerted when someone else opens up credit in your name is hardly
"protection." They still opened up credit in your name and you have to deal
with that which is at the very very least inconvenient.

3) Posting you SSN online makes products more expensive for everyone because
companies at the very least have to devote extra man hours every time someone
else tries to take out credit in your name. Even if nothing happens to you
they may have already issued a loan to the person and now has to write that
off.

4) This is about fraudulent tax returns which credit monitoring companies
wouldn't have info on.

I've had my identity stolen and I can tell you,it is truly awful.

~~~
klipt
> I've had my identity stolen and I can tell you,it is truly awful.

You and half of America. You know how many people are in Anthem's system?

------
bcantrill
I believe that this actually happened to me -- which tells me the 100,000
number is way too low. To be more precise: when we went to electronically file
our 2014 return, it was rejected because our return had already been filed
(not by us, of course). I (like 80+ million others) am a victim of the Anthem
breach, and I have assumed that my fraudulent return was part of that breach.
(Regardless, I have opted into the identity protection that Anthem has
provided as restitution to victims of the breach.[1])

As part of clearing this up with the IRS, I had to verify my own identity and
validate that the return that we (physically) sent was the true and correct
return. After a whopping 2+ hours on hold, I ran a grueling gauntlet of rather
obscure questions that amount to some flimsy shared secrets I happen to have
with the IRS. Once my identity was confirmed, I learned that the thieves had
filed a 2014 AGI that exactly matched my 2013 AGI. The IRS representative told
me that this was unusual (that is, that they normally they just make numbers
up), and it's clearly stupid (my return was flagged and didn't pay out), but
it obviously left me concerned that someone had somehow located my 2013
return. With this latest revelation, it's now clear that this could have
easily happened via the IRS itself.

Assuming that my experience is indicative of a larger trend, I expect many
more similar revelations as the IRS picks up the debris from the 2014 tax
season -- and it wouldn't surprise me at all if the true target of the Anthem
breach wasn't in fact the IRS: this crime is just too damn easy to pull off
and get away with. The bright side of all this: things very clearly have to
change, and I wouldn't be at all surprised if the IRS ends up issuing PINs to
all e-filers this coming year.

[1] [https://www.anthemfacts.com](https://www.anthemfacts.com)

~~~
__z
So the IRS has a form you can send in to put a fraud alert or some type with
them so I guess they will give your tax return special attention to see if it
is really you next time.

Also - I'm confused - I have an e-file PIN. You don't?

~~~
clogston
IRS requires you to authenticate yourself via one of two mechanisms if you
efile (regardless of who you do your taxes with):

1) Prior year AGI

2) Electronic filing PIN

They can also issue a taxpayer a special Identity Protection PIN. If you're
issued one of these you MUST use it.

There are two groups of people that don't need to "authenticate" at all:

1) Anyone who didn't file the previous tax year

2) Anyone filing by mail

------
malchow
If this were a company, the headline would have been "IRS hacked; tax
information stolen from 100,000." Instead the IRS was able to spin it to The
Washington Post. The headline is "thieves stole tax info." Thieves!

The real headline is that the IRS is hackable.

~~~
grecy
> _Instead the IRS was able to spin it to The Washington Post. The headline is
> "thieves stole tax info." Thieves!_

They spun it even better than that. The headline is "thieves stole tax info
from 100,000 people" (i.e. not from the IRS, but from the people themselves)

~~~
ljk
why does the realization of this sneaky tactic make me so mad

------
zaroth
Krebs wrote about this in March: [http://krebsonsecurity.com/2015/03/sign-up-
at-irs-gov-before...](http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-
before-crooks-do-it-for-you/)

He has some good advice; claim your account before someone else does.

~~~
protomyth
"Kasper said the detective learned that money was deposited into her account,
and that she sent the money out to locations in Nigeria via Western Union wire
transfer, keeping some as a profit, and apparently never suspecting that she
might be doing something illegal."

I am having a really tough time believing she never suspected she was doing
something illegal.

~~~
ceejayoz
> I am having a really tough time believing she never suspected she was doing
> something illegal.

Why? People fall for the "I have $20 million for you, I just need a few
hundred bucks to do the paperwork" scam all the time.

~~~
protomyth
I'm a little shocked a college student fell for it. I would have a tough time
hiring such a person because they would be a serious security risk.

------
revelation
Something is wrong with the wording here. Thieves stole the tax info _of_
100,000 but they stole it _from_ the IRS.

Make no mistake: IRS needs to be held responsible for this. It is their fault.

~~~
paulhauggis
So when the victim is someone you don't like, it's somehow their fault??

The fault should be with the person/people that stole the tax information, not
the IRS.

Blaming the IRS would be like blaming a home owner for not installing a good
enough security system when they get robbed instead of the criminals.

~~~
click170
Perhaps, but what I can blame them for is for having very poor monitoring (50%
failure rate and nobody noticed??) and poor security, culminating in this data
breach.

People need to be held accountable for the security of their systems when they
are storing personally identifiable information on customers or the public at
large.

Edit: Perhaps they shouldn't be blamed when someone leverages a zero-day to
break in, but if this is due to their failure to patch their systems, IMO
their 100% liable for everything that follows.

~~~
ceejayoz
50% failure rate is probably pretty normal for a form asking for SSN, name,
address, and birth date - I fail my bank's security questions at least 1/3 of
the time because things like "Anywhere Street" and "Anywhere St" are not the
same.

------
bane
Taxes in the U.S. are absolutely ridiculous. Nearly everything is already
reported to the IRS by employers, banks, brokers, etc. Why spend hours filling
out and copying all that crap, and signing thing after thing after thing just
to send the IRS information they already have?

The problem seems to be trying to carve out exemptions for little things here
and there.

Just use a decent tax rate, get rid of all that crap, calculate what I owe and
send me a bill or send me a check if I over-withheld or something.

Ugh it's so hard building a proper civilization.

~~~
alexqgb
_Why spend hours filling out and copying all that crap, and signing thing
after thing after thing just to send the IRS information they already have?_

Because Intuit, H&R Block, and others like them who have built substantial
businesses doing all that empty-work for you have made damn sure that Congress
doesn't legislate their meal ticket away.

------
byoung2
_The IRS said the thieves accessed a system called “Get Transcript.” In order
to access the information, the thieves cleared a security screen that required
knowledge about the taxpayer, including Social Security number, date of birth,
tax filing status and street address._

Do we know if the system was compromised, or if the thieves just had access to
the personal information of those taxpayers?

~~~
seanp2k2
This happened to a few people I work with. 100k seems low. They found out by
the IRS rejecting their return as they had "already filed".

You'd think we'd have a better system by now than a short-ish unique number
which never changes during your lifetime as the key for much of your financial
/ credit-related authorization.

~~~
dragontamer
USPS is rumored to be working on such a system actually.

[http://securekey.com/press-releases/securekey-
technologies-w...](http://securekey.com/press-releases/securekey-technologies-
wins-contract-with-u-s-postal-service-to-implement-federal-cloud-credential-
exchange/)

SecureKey IIRC is used by Canada. USPS is in a unique position in that they
have a _ton_ of employees literally who can verify mailing addresses by brute
force. Every day (except holidays). Rain, Snow or shine.

Having USPS in charge of the US's future "online identity" would be a good way
of transforming the ailing agency and giving them a very useful purpose that
only USPS can do. There's a lot of win/win potential here.

~~~
r00fus
This is/should be the main offering of the USPS - secure identity location
verification.

It's too bad their hands are so tied by Congress (and a malicious one at that
- having to pay pension fund 75 years early)... they might have made this move
a decade or so earlier.

~~~
xrange
...isn't that 75 year thing incorrect?

[http://www.cnbc.com/id/45018432](http://www.cnbc.com/id/45018432)

------
davidcelis
If you're wondering whether or not this happened to you, one way to know is if
you were able to file your own return. If your own tax return was rejected
because it had already been filed, it means someone was able to attempt to
file a fraudulent return using your identity. Of course, this is only assuming
that they managed to submit a return as you at all. It's possible your
information was taken but not used.

------
jsat
Imagine if all government software was open source and significant bug reports
and contributions were rewarded with cash... I hope we reach some happy medium
between that and what we have today in the future.

~~~
ceejayoz
This wasn't a hack or a bug - open source software built to do the same thing
would've been just as vulnerable to this.

Per the article, the attackers had to put "the taxpayer’s Social Security
number, date of birth, address and tax filing status" into a form to get
access.

~~~
jsat
I see. Maybe the additional exposure would have shed light on the risk
involved?

------
vinhboy
I'll never understand why our politicians continue to cut funding to the one
organization that could help the government save AND make more money.

Not to mention save all of us from the headache of things like this.

~~~
acdha
You assume that the goal is to make society better. Currently one of the two
major parties has aggressively staked out the position that government cannot
work and should be privatized – from that perspective dysfunction is a goal,
not a problem.

I liked Adam Gopnik's summation last week:

“What we have, uniquely in America, is a political class, and an entire
political party, devoted to the idea that any money spent on public goods is
money misplaced, not because the state goods might not be good but because
they would distract us from the larger principle that no ultimate good can be
found in the state. Ride a fast train to Washington today and you’ll start
thinking about national health insurance tomorrow.”

[http://www.newyorker.com/news/daily-comment/the-plot-
against...](http://www.newyorker.com/news/daily-comment/the-plot-against-
trains)

~~~
ahallock
Just a talking point--empirically that's not true.

~~~
acdha
> empirically that's not true

Feel like expanding that point? I mean shrinking government and changing
society so people depend on it less is literally part of the national GOP
platform. Is your argument just that they're not willing to sabotage things
for political advantage? (and, if so, how are we to explain the billions spent
shutting down the federal government as a negotiating tactic?)

~~~
ahallock
Let's see the drug war, DHS, military, NSA, no child left behind--just to name
a few. The gov increased under Reagan despite what conservatives will tell
you. The GOP has been part of massive increases in gov. Why would someone in
political power ever be for downsizing gov, save a few outliers? It's just
pandering to the base.

A short-term sabotage is not out of the question.

Actually, I have a graph showing how gov actually increases more under GOP
control than democrats. Hold on.

~~~
acdha
I must not have made my position clear. I don't think that they're
particularly committed or effective deficit hawks – the true fiscal
conservatives were purged years ago – but rather that this is now a key part
of their public image. They heavily promote the idea that government is
inefficient because it keeps people voting for them and, most importantly,
keeps corporate-backed groups like Fox News from going on the attack in the
next election.

That might necessitate a token effort somewhere to cut things but the real
goal is the posture, not the results, so maximizing inefficiency isn't
something they're concerned with. In most cases, they'll try to cut things
which affect people who don't vote for them anyway – mass transit, funding for
the poor, etc.

------
scottm01
It looks like they've at least pulled the link to request transcripts online.

 _Alert:_ _The online Get Transcript service is currently unavailable._
_Transcripts may still be ordered using the Get Transcript by_ _Mail service.
We apologize for any inconvenience._

------
daveloyall
Multiple commenters have said that ~100,000 is "too low".

The number quoted in the article is 104,000.

Obvious questions:

1\. Is 104,000 the exact count, or has it been rounded?

2\. Did the hackers stop when their success count got there?

3\. Does nobody else think it is funny that 1040 is a factor of 104,000? :)

[edited a lot]

~~~
iamlolz
How is 1040 a famous number?(Australian here)

~~~
ketralnis
1040 is the name of the primary income tax reporting form in the US (and has
variants like 1040A & 1040EZ).

(I can't comment on the rest of that rant though)

~~~
iamlolz
Ah, that makes sense - thanks.

------
jakeogh
Translation: We are going to collect your data. Give it to us, or else. If
it's stolen, that's your problem. You dont get to choose.

------
newman8r
yeah this happened to me last year

