IRS Attack Demonstrates How Breaches Beget More Breaches

As the IRS begins to dig into forensics around a breach in its online Get Transcript application that exposed 100,000 tax accounts to intruders, early information relea...

As the IRS begins to dig into forensics around a
breach in its online Get Transcript application
that exposed 100,000 tax accounts to intruders, early information released this week to the public is offering security food for thought to both public and private sector organizations. According to security pundits, the breach offers ample evidence of authentication weaknesses prevalent today and also shows how interconnected unrelated data breaches can really be.
The IRS said in a statement yesterday that criminals used taxpayer-specific data from non-IRS sources to gain unauthorized access to the breached accounts.
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer, the statement said, explaining that the Treasury Inspector General and the IRS Criminal Investigation unit are looking into it and have shut down the application in the interim.
According to Ken Westin, the way this breach went down illustrates how large scale breaches have transformed personal information into public information—or at least information publicly available on the black market.
We live in a world where the Internet has become a database of ‘you’ and where one data breach can easily feed another. According to the IRS, the data came ‘from questionable email domains’ and at a high velocity of requests, he explains. The information that was used to bypass the security screen, including Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches.
The authentication problems are two-fold. One is that agencies like the IRS, as well as private sector organizations, dont do enough to properly verify identity during enrollment for new accounts.
Authentication relies on being able to properly identify people at least once. But how do you know who you’re dealing with before that first identification happens? says Jeff Williams, CTO of Contrast Security. Well, the IRS decided that if you know a person’s SSN, birthday, and street address, then you must be that person. For government agencies in particular, we can do better. We should have an official channel that can provide higher assurance authentication before granting access to our personal information.
The second authentication weakness is the age-old weakness of depending solely on the lowly password to keep intruders at bay.
This data breach demonstrates the limitations of using static authentication credentials, especially information that cybercriminals are showing they can easily steal and then repurpose for data breaches such as this, says Tsion Gonen, vice president of strategy in identity and data protection at Gemalto.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
IRS Attack Demonstrates How Breaches Beget More Breaches