Add the United States Internal Revenue Service (IRS) to the list of recent large scale data breaches.
With their announcement on May 26, 2015 that more than 100,000 U.S. taxpayers’ information was illegally accessed through the “Get Transcript” web application, the IRS has joined Target, Premera and others in the ranks of large scale data breach victims.
According to the IRS, the information accessed included taxpayers’ Social Security information, date of birth and street address. The IRS also indicated that attackers attempted, but failed, to access the records of another 100,000 taxpayers.
While on the surface, this sounds similar to the breaches that have been making headlines lately, this is a very different sort of compromise.
Based on official information, this was a significantly more sophisticated and concerted attack. Also, it almost certainly could only happen by using information that had previously been lost, stolen or otherwise obtained by the attackers.
This incident has more in common with the celebrity “doxxings” that happened in 2013. In that situation, many public figures had detailed personal information leaked on the web. Investigations showed this information was obtained because attackers were able to assemble enough information to pose as the victims when answering detailed personal identifying questions. All indications are that something very similar happened here.
Put another way – everyone who’s a victim of the IRS hack was likely a previous victim of another hack or data breach.
The IRS is contacting all 200,000 individuals whose information was either stolen or attempted to access by these cybercriminals. The IRS is also offering one year of credit monitoring for those whose information was obtained.
If your information was accessed, you should absolutely enroll in the credit monitoring that’s offered. If you’re one of the other 100,000 people, you should conduct a thorough review of all your financial and health records as there is a good chance you’ve been the victim of another incident and may not be aware.
Even if you’re not a victim of the IRS hack, this situation demonstrates that real time credit monitoring and identity theft protection is something we should all use as a regular practice.
But even real time credit monitoring is not a panacea – it likely didn’t provide much protection against this high-profile hack. Real time credit monitoring only protects against attempts to open new financial accounts in your name, which wasn’t the case here.
And so the most important lesson from this latest spate of data breaches is that we have to engage in careful monitoring of our personal, financial and health information at all times. All signs point to things getting worse for the foreseeable future with little to no sign of relief any time soon.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.