According to csoonline.com, the IRS had to block unknown persons or person who was downloading a massive trove of PINs used for electronic tax filing:
The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.
Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it.
The information used to obtain the PINs, the IRS notes, came from sources other than the IRS. That is, from some other data breach – and God knows there were plenty of them in the past ten years.
While csoonline.com article didn’t go into how the PINs would be used, I assume that they’d be used, well, for fraudulently filing tax returns over the internet. Filing one’s taxes online, among other things, means that tax refunds are processed quickly. It’s even possible that the refund checks are on their way out before the actual taxpayer files his or her return. The scammer only has to make sure that the address
A quick visit to the IRS site shows that getting said PIN is not as straightforward as the above quote would have you believe. In order to get the PIN, you have to “Enter… information as it appears on your 2014 Federal Income Tax Return” (my emphasis), which includes one’s filing status (such as single, married – joint filing, etc) in addition to the usual information such as SSN, given name, etc.
That the would-be-scammers obtained 100,000+ PINs – for a 20% success rate – shows that either they made some very good guesses or the IRS was slow in reacting. Knowing that bots could easily file 400,000+ requests in minutes, I’d say the latter is unlikely.
On a tangent, my personal approach to the hack, assuming that filing status was unavailable, would have been to file all requests as “single” and mostly use data for men and women under the age of 30: on average, according to a 2013 analysis, the first marriage for women in the US is at age 27; for men it’s 29.
(Why not just run it for all people regardless of age? Because I’ve got to assume that the IRS checks to ensure that a bot isn’t running the show: once a certain success-to-fail threshold is crossed within a certain time frame, bells should be ringing somewhere. Big amounts of data means you should think ahead to maximize success.)
Scams involving IRS tax returns are not new. It’s become something of an unwelcome, seasonal entry in the annals of data breaches. However, this latest attempt bears noting because it effectively shows how data breaches in the past can lead to data breaches in the present (and in the future).
The common refrain that we hear from the courts, when companies are sued for failing to prevent a data breach, is that the plaintiffs have “no standing.” That is, they cannot sue because they’re not actually victims of the data breach. Yes, their personal information was stolen. Arguably, the companies that were acting as data stewards did not do their utmost to protect this information. But, what exactly is the damage to the plaintiffs – average Joes like you and me –from the data breach itself? With the lack of immediate and concrete bodily, financial, or reputational harm, the courts have found no tenable reason for castigating companies for data breaches within the legal system.
It is an exasperating situation, since the effects of the data breach can come to affect a person much, much later. In the physical world, the issue can be rectified in certain ways. If you end up, for example, getting lung cancer because you were employed to work with asbestos, whose effects show up decades later, you can go back and sue the employer. Perhaps you’ll win, perhaps you won’t, but you’ll definitely have standing. Not necessarily so in the digital realm; not with a data breach which, while it won’t result in a life-threatening disease, can have severe repercussions.
Of course, one could argue that when these severe repercussions do materialize, if they indeed materialize, then one can get standing. But with massive data breaches occurring left and right, who should be held responsible down the line? The thieves, scammers, and online conmen, sure. But what about the companies that enabled them and countless others by not properly protecting identifying information – that is lifelong and for all intents and purposes immutable – in the first place?
Companies may proclaim that they’re the victims of data breaches – which is not factually wrong. But, would it be a stretch to blame, in addition to the thief, the banks for bank robberies, if they continuously get robbed and won’t shore up their security? At some point, you can’t be blamed for concluding that (a) the banks don’t care or (b) the banks are in on it.
So, what to do? So far, it looks like one should just sit tight until something really, really goes wrong.