Inside the Massive IRS Data Breach

A security expert, who was a victim of the breach, gives a detailed account of the audacious hack of the IRS.

Karen Bleier/AFP/Getty Images
Add to Briefcase
Keith Collins, Quartz
Aug. 27, 2015, 10:17 a.m.

Kasper asked for more de­tails. Per­haps the bank ac­count num­ber lis­ted on the fraud­u­lent re­turn would lead him to the thief, or at least con­firm that it was a scam.

But the op­er­at­or wouldn’t tell him. To com­ply with a law pro­tect­ing con­fid­en­ti­al­ity, the IRS doesn’t di­vulge the de­tails of a fraud to any­one—in­clud­ing the tax­pay­er af­fected by it—un­til it has con­duc­ted its own in­tern­al in­vest­ig­a­tion. A fraud­u­lent re­turn could in­clude the per­son­al in­form­a­tion of an­oth­er in­no­cent tax­pay­er, John Koskin­en, the IRS com­mis­sion­er, ex­plained at the Sen­ate hear­ing (video, at 1:40:40). In fact, the IRS will leave not only the per­son af­fected by the fraud in the dark but also law en­force­ment agen­cies and any banks where fraud­u­lent funds have been sent.

Fight­ing bur­eau­cracy with bur­eau­cracy

Kasper felt this con­cern for pri­vacy was pro­tect­ing the crim­in­als who had stolen his iden­tity. Frus­trated, he went to the “Get Tran­script” ser­vice on the IRS web­site, which al­lows tax­pay­ers to re­trieve the de­tails of their past tax re­turns. He figured it might lead him to the crook. But when Kasper at­temp­ted to use the ser­vice, he found that an­oth­er email ad­dress was already re­gistered to his So­cial Se­cur­ity num­ber. He called the IRS again. Once more, though the people he spoke to seemed to agree that the ad­dress was fraud­u­lent, they wouldn’t, for pri­vacy reas­ons, tell him what the email ad­dress was.

The crooks somehow knew Kasper’s Social Security number, his date of birth and his real address. They even knew his salary. 

But Kasper found a way to by­pass the IRS’s strin­gent pri­vacy rules with a little bit of bur­eau­cracy—and a check. For $50, he was able to re­quest a pa­per copy of his 2014 tax re­turn, sent to his home ad­dress, which the scam­mers had not tried to change. By mid-March he had the fraud­u­lent doc­u­ment in his hands.

This form, which had been filled out by strangers and sub­mit­ted un­der Kasper’s name, looked very much like the re­turn he him­self had filed for the 2013 tax year. The crooks some­how knew Kasper’s So­cial Se­cur­ity num­ber, his date of birth, and his real ad­dress. They knew his mar­it­al status. They even knew his salary. It was all right there on the pho­to­copied form.

The only ma­jor dif­fer­ences between the 2014 re­turn and the one Kasper had filed a year earli­er were an ad­di­tion­al $6,000 ad­ded to his with­hold­ings—and a bank ac­count num­ber he’d nev­er seen be­fore.

How it happened

Not un­til May 26 did the IRS an­nounce a ma­jor data breach. Hack­ers had used the “Get Tran­script” page to steal data—spe­cific­ally, the con­tents of pre­vi­ously filed tax re­turns—on thou­sands of tax­pay­ers and then used that in­form­a­tion to file the new, fals­i­fied re­turns. At first, the IRS said more than 100,000 people’s re­cords had been stolen. This month it re­vised the fig­ure up to 334,000.

Log­ging in to “Get Tran­script” is a two-step pro­cess that re­quires a lot of per­son­al data. In the first step, a user has to provide a So­cial Se­cur­ity num­ber, date of birth, tax fil­ing status, and street ad­dress, ac­cord­ing to the IRS state­ment. The second step is a com­mon iden­tity-veri­fic­a­tion meth­od known as Know­ledge-Based Au­then­tic­a­tion, or “KBA,” and it in­volves a series of mul­tiple-choice ques­tions that ask the user about his or her cred­it his­tory. These ques­tions can range from “On which of the fol­low­ing streets have you lived?” to “What is your total sched­uled monthly mort­gage pay­ment?”

How had the in­truders ob­tained all that data for 334,000 people? Names, ad­dresses, and So­cial Se­cur­ity num­bers could very well have come from pre­vi­ous high-pro­file data breaches, such as those at the health in­surers An­them and Prem­era Blue Cross. In­deed, Kasper was one of mil­lions of An­them cus­tom­ers whose per­son­al data had been com­prom­ised. Per­son­al data and iden­tit­ies from such breaches are also fre­quently sold on the “dark Web.” But to break through KBA without also hav­ing cred­it in­form­a­tion on hand—data that came from a bank or a cred­it bur­eau—would be dif­fi­cult.

Dif­fi­cult, but not im­possible, Kev­in Fu, a com­puter-sci­ence pro­fess­or at the Uni­versity of Michigan, told Quartz.

“Just know­ing a per­son’s ad­dress, which you can get from one of these more tra­di­tion­al breaches, you can dis­cov­er a lot about a per­son,” Fu said. “For in­stance, you can make a pretty good guess on who owns their mort­gage when [the KBA tests] present you with four banks and only one of them hap­pens to be in the city that per­son lives in.”

All the same, while that ap­proach makes sense for the thief who is look­ing to de­fraud only a hand­ful of tax­pay­ers and can manu­ally an­swer KBA ques­tions, it wouldn’t be prac­tic­al to do it 334,000 times. Such a crim­in­al would have to, for ex­ample, write some com­puter code to find all of the banks near each tax­pay­er’s ad­dress, read the mul­tiple-choice op­tions of the bank ques­tion, cross-ref­er­ence the two, and hope for a hit.

A clue to the meth­od the at­tack­ers used is that al­though they suc­cess­fully stole 334,000 people’s tax in­form­a­tion, they tried to steal it for an­oth­er 281,000, ac­cord­ing to the IRS, and got foiled at the fi­nal veri­fic­a­tion step. That could in­dic­ate that the hack­ers had cred­it data on only some of their vic­tims, or that they found a pat­tern in the mul­tiple-choice KBA ques­tions that they were able to cor­rectly pre­dict about half the time. (For ex­ample, the cor­rect an­swer to a giv­en KBA ques­tion can fre­quently be “none of the above.”)

At least 15,000 of the falsified documents made it through, leading to $50 million in refunds. 

In any case, once the hack­ers had suc­cess­fully ob­tained tax­pay­ers’ per­son­al data, they now had to use it to cre­ate new tax re­turns. Com­par­ing Kasper’s real re­turn to the fraud­u­lent one sub­mit­ted un­der his name, it seems clear that this pro­cess—which in­volves filling out PDF forms and sub­mit­ting them on­line—would have been auto­mated too.

Fi­nally, they would have sub­mit­ted the fake tax re­turns to the IRS, then waited. If a tax­pay­er had already filed a re­turn when the fraud­u­lent one was sub­mit­ted, the fraud­u­lent one would be re­jec­ted. If ac­cep­ted, it would still have to pass a series of fraud-de­tec­tion fil­ters. When the IRS first an­nounced the data breach in May, it said that 15,000 of the fals­i­fied doc­u­ments got all the way through, lead­ing to $50 mil­lion in re­funds. Wheth­er that num­ber will rise after the IRS’s ex­ten­ded ana­lys­is is still un­der re­view, ac­cord­ing to the agency.

But how did the crim­in­als then col­lect the $50 mil­lion? In Janu­ary of this year, the IRS star­ted lim­it­ing how many sep­ar­ate tax re­bates could be dir­ect-de­pos­ited in the same bank ac­count. To get around the lim­it, the hack­ers would have had to open thou­sands of bank ac­counts. There doesn’t seem to be a reas­on­able way for even a soph­ist­ic­ated crim­in­al to do something like that. This part of the op­er­a­tion re­mains un­clear; we still do not know how the crooks got paid.

In the case of Mi­chael Kasper, however, we do know where the money went. Sort of.

The Ni­geri­an con­nec­tion

Back in March, Kasper looked over the fraud­u­lent tax re­turn that had been filed un­der his name. There was a bank ac­count num­ber on it that was not his, and next to it, a rout­ing num­ber. Kasper found out that the rout­ing num­ber be­longed to a bank in Wil­li­am­s­port, a city of about 30,000 in cent­ral Pennsylvania.

After a few phone calls, Kasper reached Bar­bara Aus­tin, the head of ac­count se­cur­ity at the First Na­tion­al Bank of Pennsylvania. She told him that in Feb­ru­ary the IRS had de­pos­ited $8,936, with Kasper’s name and So­cial Se­cur­ity num­ber as a ref­er­ence, in­to an ac­count in someone else’s name. Most of that money, Aus­tin said, was now gone. And al­though Kasper had filed a fraud re­port with the IRS more than a month earli­er, no one from the gov­ern­ment had con­tac­ted Aus­tin about the de­pos­it.

Kasper then con­tac­ted the Wil­li­am­s­port po­lice. With­in a couple of days, a de­tect­ive named Don­ald Mayes had checked with the bank and iden­ti­fied the own­er of the ac­count. Her name was Isha Sesay—a small-framed, 21-year-old res­id­ent of Wil­li­am­s­port.

“By the end of February 2015, Sesay’s account would have a balance of $4.58.” 

Sesay told Mayes (ac­cord­ing to an ar­rest war­rant that would later be filed, and an email Mayes later sent to Kasper) that she’d been hired on Craigslist as a per­son­al as­sist­ant. Her only du­ties were to open a bank ac­count, in­to which funds would sporad­ic­ally be de­pos­ited, and to wire some of those funds to places like Ni­ger­ia.

For her trouble, Sesay would be al­lowed to keep a por­tion of the de­pos­its. She ad­mit­ted to Mayes that the job seemed “odd,” but ex­plained that she needed the money. Bank re­cords ob­tained by the po­lice in­dic­ated that Sesay had in­deed writ­ten a check for $7,000 to cash, but she could not provide any doc­u­ment­a­tion of the wire trans­fers she claimed to have made with that cash.

Sesay’s bank re­cords also in­dic­ated that she used the leftover $1,936 for rent and daily liv­ing ex­penses. “By the end of Feb­ru­ary 2015,” Mayes wrote in the ar­rest war­rant, “Sesay’s ac­count would have a bal­ance of $4.58.” The ac­count was then closed.

A wo­man who answered a call from Quartz in early Ju­ly at the phone num­ber lis­ted on Sesay’s ar­rest war­rant made only one brief com­ment be­fore hanging up. “Isha is dead,” she said.

Mayes told Quartz Sesay is still liv­ing, as far as he knows. She waived her right to a pre­lim­in­ary tri­al, Mayes said, and was re­leased on $8,500 bail. He ad­ded: “She’ll end up tak­ing a plea and prob­ably won’t go to tri­al.” In ad­di­tion to the fraud­u­lent tax re­fund, po­lice found that Sesay had also re­ceived a de­pos­it linked to a ro­mance scam. She is charged with re­ceiv­ing stolen prop­erty.

It seems most likely that Sesay was merely a small part of a much lar­ger op­er­a­tion. In his email to Kasper, Mayes noted: “You still have to con­tend with the fact that she may be telling the truth and that someone else has ob­tained your per­son­al in­form­a­tion.”

Du­bi­ous solu­tions

Mi­chael Kasper re­ceived his ac­tu­al tax re­fund on May 12, along with a let­ter con­firm­ing that this was a case of iden­tity theft. “But I don’t know if they ever tried to pro­sec­ute any­one,” he said, “or iden­ti­fied wheth­er it was from over­seas or what.” And the IRS was not in­ter­ested in what Kasper had found out about his case.

“I even tried to call them back and say, look, some­body’s been ar­res­ted, here’s some ad­di­tion­al in­form­a­tion,” he said. “And they lit­er­ally would not take that in­form­a­tion when I called. They said, ‘We do not ac­cept tips on iden­tity theft.’”

The IRS has yet to con­firm or deny wheth­er the fraud com­mit­ted against Kasper was part of the lar­ger scam. However, like the 334,000 vic­tims of that scam, Kasper has re­ceived a spe­cial “Iden­tity Pro­tec­tion PIN” from the IRS, which he will have to use to con­firm his iden­tity on fu­ture fed­er­al tax re­turns. He ar­gues it’s not a se­cure solu­tion.

“I already know that who­ever got my tax tran­script can also get my iden­tity PIN the same way,” he said. “They have the same au­then­tic­a­tion on the web­site to get the iden­tity PIN as they do for the ‘Get Tran­script.’ So I don’t know what’s go­ing to stop someone from fil­ing again as me next year.” Fu, who has gone through the lo­gin pro­cess for re­triev­ing an IP PIN, toldQuartz the pro­cess is in­deed sim­il­ar, and pos­sibly even slightly less se­cure.

The IRS did not com­ment on that, but did send Quartz a state­ment out­lining the se­cur­ity be­ne­fits of IP PINs. For one, it said, ac­cess to an IP PIN it­self “does not ex­pose tax­pay­er Per­son­ally Iden­ti­fi­able In­form­a­tion.” (It doesn’t grant ac­cess to oth­er per­son­al data, in oth­er words.) Also, tax­pay­ers who use IP PINs will be sent a new one in the mail each year, “pri­or to each tax sea­son—mak­ing it much harder for an iden­tity thief to ac­cess this in­form­a­tion.” That is, hack­ers would have a small win­dow—between the end of the tax year and the mo­ment a tax­pay­er files a re­turn—to try to steal the IP PIN. The state­ment ad­ded: “In ad­di­tion, we care­fully mon­it­or IP PIN traffic in or­der to re­spond swiftly to any po­ten­tially sus­pi­cious activ­ity.”

The IRS com­mis­sion­er, John Koskin­en, sug­ges­ted at June’s Sen­ate hear­ing that the agency will bring back the “Get Tran­script” page with stronger au­then­tic­a­tion, but did not say wheth­er KBA will be re­viewed across the board. A Gov­ern­ment Ac­count­ab­il­ity Of­fice (GAO) re­port in Janu­ary, be­fore the fraud was an­nounced, had noted the lim­it­a­tions (pdf) of the KBA pro­cess.

Koskin­en also said that, in cases where someone like Kasper needs a copy of a fraud­u­lent doc­u­ment filed un­der his name, the IRS has set up “a situ­ation where we can simply re­dact any third-party in­form­a­tion on a re­turn and give the tax­pay­er a copy of the fraud­u­lent re­turn so they’ll know ex­actly what was in there.”

Kasper sus­pects that means the IRS would re­move the only in­form­a­tion that led him to Wil­li­am­s­port, and that helped the po­lice there find Isha Sesay. “It would not sur­prise me at all if they do that,” he said.

Internal Revenue Service Investigations by fiscal year Atlas by Quartz

Left be­hind

For the IRS, the fraud prob­lem far ex­ceeds the $50 mil­lion lost in this one in­cid­ent. Ac­cord­ing to the GAO’s Janu­ary re­port, the IRS pre­ven­ted the loss of $24.4 bil­lion to fraud in 2013, but still lost a total of $5.8 bil­lion that year. And al­though the agency cur­rently has 81,000 full-time em­ploy­ees and an op­er­at­ing budget of $10.9 bil­lion, it ini­ti­ated only 4,297 crim­in­al in­vest­ig­a­tions in 2014—some 1,000 few­er than the pre­vi­ous year. Mean­while, the num­ber of soph­ist­ic­ated com­puter at­tacks na­tion­wide con­tin­ues to rise.

At the hear­ing, Koskin­en lis­ted sev­er­al reas­ons the agency is not ex­cel­ling in the realm of com­puter se­cur­ity. Its sys­tems are an­ti­quated, he said. Some of its ap­plic­a­tions “have been run­ning for 50 years.” Some of the soft­ware used at the IRS is no longer sup­por­ted by the people who made it. And the agency simply doesn’t have the funds in place, he said, to re­cruit top tal­ent from the private sec­tor.

He ad­ded: “It’s a dif­fi­cult chal­lenge com­pet­ing with or­gan­ized crim­in­als who have re­sources.”

As of mid-Au­gust, the IRS still had not con­tac­ted the First Na­tion­al Bank in Wil­li­am­s­port, nor the po­lice there who solved Kasper’s case.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.