IRS Breach: “Criminals Access 100,000 IRS Tax Returns”

On June 3rd, I logged into my computer, opened up the BBC news and clicked to the Tech section. The top headline was “Criminals access 100,000 IRS tax returns.”

My immediate reaction was “so that’s where all the Anthem data went.”


This headline completely underpinned how today’s cyber criminal is becoming more and more sophisticated. It has become a harsh reality that criminals have so many weapons in their arsenal that it is becoming more and more difficult to keep up with them let alone predict their next plan of attack.

In this latest breach, stolen personal data was used to file bogus tax returns and claim $50M in refunds (at least that is the number which the IRS is willing to admit to). In all probability, the personal data, used in the bogus tax filings, was stolen during one or more of the recent high profile breaches reported in the mainstream media: Anthem, Ebay, JP Morgan Chase or one of the many others.

Unfortunately like many high profile breaches, I believe this one too could have been avoided had the IRS been given or, for that matter, requested a list of affected consumer data from earlier breaches. Had they done this, a trigger could have been set up to raise an alarm every time a tax return was filed for someone on the watch list. Additionally, an automatic response could have been set up to alert investigators, such as a follow-up phone call or a verification email, each time an alarm was triggered. These actions would have allowed further investigations to verify or discredit the return. This type of trigger could have easily been set up within a system like LogRhythm’s LogRhythm NextGen SIEM Platform.

Furthermore, based off of the information provided by the IRS, it seems that for each one of the bogus tax returns a brand new on-line account was set up with a different email address from the one used for previous tax return filing. Again, a process to detect this type of activity could have easily been incorporated into the trigger I proposed above. All of which could be easily set up within LogRhythm’s TLM using NetMon.

Of course with the benefit of hind-sight, it is easy to see how major events like these could have easily be avoided, but someone should have seen this type of attack coming. There needs to be safeguards put in place for when sensitive data is stolen. For example, when a consumer’s credit card is compromised, they are sent a new credit card. However, when a social security number of an American Citizen is stolen, they are not issued a new one, nor are flags put in place to detect future unauthorized usage.


If nothing else, as a result of this and other breaches over the last year, we have learned, that cyber crime is now more lucrative than drug crime. There is less risk and greater rewards. Organized crime gangs from Russia, China and other countries around the world are getting better and better at stealing personal data and then either using it or selling it for massive financial gains.

A well-recognized reality in today’s InfoSec community is “They Will Get In.” Therefore, it is what you do once criminals have breached your network and how fast you react that truly determines how devastating or otherwise a breach can be. Organizations face a giant game of chess, where they must act and react, being as predictive as possible.

Determining what data had been stolen during the Anthem breach and others, as well as its possible uses, might have led to the implementation of a system or process designed to prevent what happened at the IRS. Perhaps this latest high profile attack on one of the bastions of American society will provoke some far-reaching and more stringent systems and processes to be implemented. Perhaps not. Time will tell.