Inside the Massive IRS Data Breach

A security expert, who was a victim of the breach, gives a detailed account of the audacious hack of the IRS.

Karen Bleier/AFP/Getty Images
Add to Briefcase
Keith Collins, Quartz
Aug. 27, 2015, 10:17 a.m.

Kasper asked for more de­tails. Per­haps the bank ac­count num­ber lis­ted on the fraud­u­lent re­turn would lead him to the thief, or at least con­firm that it was a scam.

But the op­er­at­or wouldn’t tell him. To com­ply with a law pro­tect­ing con­fid­en­ti­al­ity, the IRS doesn’t di­vulge the de­tails of a fraud to any­one—in­clud­ing the tax­pay­er af­fected by it—un­til it has con­duc­ted its own in­tern­al in­vest­ig­a­tion. A fraud­u­lent re­turn could in­clude the per­son­al in­form­a­tion of an­oth­er in­no­cent tax­pay­er, John Koskin­en, the IRS com­mis­sion­er, ex­plained at the Sen­ate hear­ing (video, at 1:40:40). In fact, the IRS will leave not only the per­son af­fected by the fraud in the dark but also law en­force­ment agen­cies and any banks where fraud­u­lent funds have been sent.

Fight­ing bur­eau­cracy with bur­eau­cracy

Kasper felt this con­cern for pri­vacy was pro­tect­ing the crim­in­als who had stolen his iden­tity. Frus­trated, he went to the “Get Tran­script” ser­vice on the IRS web­site, which al­lows tax­pay­ers to re­trieve the de­tails of their past tax re­turns. He figured it might lead him to the crook. But when Kasper at­temp­ted to use the ser­vice, he found that an­oth­er email ad­dress was already re­gistered to his So­cial Se­cur­ity num­ber. He called the IRS again. Once more, though the people he spoke to seemed to agree that the ad­dress was fraud­u­lent, they wouldn’t, for pri­vacy reas­ons, tell him what the email ad­dress was.

The crooks somehow knew Kasper’s Social Security number, his date of birth and his real address. They even knew his salary. 

But Kasper found a way to by­pass the IRS’s strin­gent pri­vacy rules with a little bit of bur­eau­cracy—and a check. For $50, he was able to re­quest a pa­per copy of his 2014 tax re­turn, sent to his home ad­dress, which the scam­mers had not tried to change. By mid-March he had the fraud­u­lent doc­u­ment in his hands.

This form, which had been filled out by strangers and sub­mit­ted un­der Kasper’s name, looked very much like the re­turn he him­self had filed for the 2013 tax year. The crooks some­how knew Kasper’s So­cial Se­cur­ity num­ber, his date of birth, and his real ad­dress. They knew his mar­it­al status. They even knew his salary. It was all right there on the pho­to­copied form.

The only ma­jor dif­fer­ences between the 2014 re­turn and the one Kasper had filed a year earli­er were an ad­di­tion­al $6,000 ad­ded to his with­hold­ings—and a bank ac­count num­ber he’d nev­er seen be­fore.

How it happened

Not un­til May 26 did the IRS an­nounce a ma­jor data breach. Hack­ers had used the “Get Tran­script” page to steal data—spe­cific­ally, the con­tents of pre­vi­ously filed tax re­turns—on thou­sands of tax­pay­ers and then used that in­form­a­tion to file the new, fals­i­fied re­turns. At first, the IRS said more than 100,000 people’s re­cords had been stolen. This month it re­vised the fig­ure up to 334,000.

Log­ging in to “Get Tran­script” is a two-step pro­cess that re­quires a lot of per­son­al data. In the first step, a user has to provide a So­cial Se­cur­ity num­ber, date of birth, tax fil­ing status, and street ad­dress, ac­cord­ing to the IRS state­ment. The second step is a com­mon iden­tity-veri­fic­a­tion meth­od known as Know­ledge-Based Au­then­tic­a­tion, or “KBA,” and it in­volves a series of mul­tiple-choice ques­tions that ask the user about his or her cred­it his­tory. These ques­tions can range from “On which of the fol­low­ing streets have you lived?” to “What is your total sched­uled monthly mort­gage pay­ment?”

How had the in­truders ob­tained all that data for 334,000 people? Names, ad­dresses, and So­cial Se­cur­ity num­bers could very well have come from pre­vi­ous high-pro­file data breaches, such as those at the health in­surers An­them and Prem­era Blue Cross. In­deed, Kasper was one of mil­lions of An­them cus­tom­ers whose per­son­al data had been com­prom­ised. Per­son­al data and iden­tit­ies from such breaches are also fre­quently sold on the “dark Web.” But to break through KBA without also hav­ing cred­it in­form­a­tion on hand—data that came from a bank or a cred­it bur­eau—would be dif­fi­cult.

Dif­fi­cult, but not im­possible, Kev­in Fu, a com­puter-sci­ence pro­fess­or at the Uni­versity of Michigan, told Quartz.

“Just know­ing a per­son’s ad­dress, which you can get from one of these more tra­di­tion­al breaches, you can dis­cov­er a lot about a per­son,” Fu said. “For in­stance, you can make a pretty good guess on who owns their mort­gage when [the KBA tests] present you with four banks and only one of them hap­pens to be in the city that per­son lives in.”

All the same, while that ap­proach makes sense for the thief who is look­ing to de­fraud only a hand­ful of tax­pay­ers and can manu­ally an­swer KBA ques­tions, it wouldn’t be prac­tic­al to do it 334,000 times. Such a crim­in­al would have to, for ex­ample, write some com­puter code to find all of the banks near each tax­pay­er’s ad­dress, read the mul­tiple-choice op­tions of the bank ques­tion, cross-ref­er­ence the two, and hope for a hit.

A clue to the meth­od the at­tack­ers used is that al­though they suc­cess­fully stole 334,000 people’s tax in­form­a­tion, they tried to steal it for an­oth­er 281,000, ac­cord­ing to the IRS, and got foiled at the fi­nal veri­fic­a­tion step. That could in­dic­ate that the hack­ers had cred­it data on only some of their vic­tims, or that they found a pat­tern in the mul­tiple-choice KBA ques­tions that they were able to cor­rectly pre­dict about half the time. (For ex­ample, the cor­rect an­swer to a giv­en KBA ques­tion can fre­quently be “none of the above.”)

At least 15,000 of the falsified documents made it through, leading to $50 million in refunds. 

In any case, once the hack­ers had suc­cess­fully ob­tained tax­pay­ers’ per­son­al data, they now had to use it to cre­ate new tax re­turns. Com­par­ing Kasper’s real re­turn to the fraud­u­lent one sub­mit­ted un­der his name, it seems clear that this pro­cess—which in­volves filling out PDF forms and sub­mit­ting them on­line—would have been auto­mated too.

Fi­nally, they would have sub­mit­ted the fake tax re­turns to the IRS, then waited. If a tax­pay­er had already filed a re­turn when the fraud­u­lent one was sub­mit­ted, the fraud­u­lent one would be re­jec­ted. If ac­cep­ted, it would still have to pass a series of fraud-de­tec­tion fil­ters. When the IRS first an­nounced the data breach in May, it said that 15,000 of the fals­i­fied doc­u­ments got all the way through, lead­ing to $50 mil­lion in re­funds. Wheth­er that num­ber will rise after the IRS’s ex­ten­ded ana­lys­is is still un­der re­view, ac­cord­ing to the agency.

But how did the crim­in­als then col­lect the $50 mil­lion? In Janu­ary of this year, the IRS star­ted lim­it­ing how many sep­ar­ate tax re­bates could be dir­ect-de­pos­ited in the same bank ac­count. To get around the lim­it, the hack­ers would have had to open thou­sands of bank ac­counts. There doesn’t seem to be a reas­on­able way for even a soph­ist­ic­ated crim­in­al to do something like that. This part of the op­er­a­tion re­mains un­clear; we still do not know how the crooks got paid.

In the case of Mi­chael Kasper, however, we do know where the money went. Sort of.

The Ni­geri­an con­nec­tion

Back in March, Kasper looked over the fraud­u­lent tax re­turn that had been filed un­der his name. There was a bank ac­count num­ber on it that was not his, and next to it, a rout­ing num­ber. Kasper found out that the rout­ing num­ber be­longed to a bank in Wil­li­am­s­port, a city of about 30,000 in cent­ral Pennsylvania.

After a few phone calls, Kasper reached Bar­bara Aus­tin, the head of ac­count se­cur­ity at the First Na­tion­al Bank of Pennsylvania. She told him that in Feb­ru­ary the IRS had de­pos­ited $8,936, with Kasper’s name and So­cial Se­cur­ity num­ber as a ref­er­ence, in­to an ac­count in someone else’s name. Most of that money, Aus­tin said, was now gone. And al­though Kasper had filed a fraud re­port with the IRS more than a month earli­er, no one from the gov­ern­ment had con­tac­ted Aus­tin about the de­pos­it.

Kasper then con­tac­ted the Wil­li­am­s­port po­lice. With­in a couple of days, a de­tect­ive named Don­ald Mayes had checked with the bank and iden­ti­fied the own­er of the ac­count. Her name was Isha Sesay—a small-framed, 21-year-old res­id­ent of Wil­li­am­s­port.

“By the end of February 2015, Sesay’s account would have a balance of $4.58.” 

Sesay told Mayes (ac­cord­ing to an ar­rest war­rant that would later be filed, and an email Mayes later sent to Kasper) that she’d been hired on Craigslist as a per­son­al as­sist­ant. Her only du­ties were to open a bank ac­count, in­to which funds would sporad­ic­ally be de­pos­ited, and to wire some of those funds to places like Ni­ger­ia.

For her trouble, Sesay would be al­lowed to keep a por­tion of the de­pos­its. She ad­mit­ted to Mayes that the job seemed “odd,” but ex­plained that she needed the money. Bank re­cords ob­tained by the po­lice in­dic­ated that Sesay had in­deed writ­ten a check for $7,000 to cash, but she could not provide any doc­u­ment­a­tion of the wire trans­fers she claimed to have made with that cash.

Sesay’s bank re­cords also in­dic­ated that she used the leftover $1,936 for rent and daily liv­ing ex­penses. “By the end of Feb­ru­ary 2015,” Mayes wrote in the ar­rest war­rant, “Sesay’s ac­count would have a bal­ance of $4.58.” The ac­count was then closed.

A wo­man who answered a call from Quartz in early Ju­ly at the phone num­ber lis­ted on Sesay’s ar­rest war­rant made only one brief com­ment be­fore hanging up. “Isha is dead,” she said.

Mayes told Quartz Sesay is still liv­ing, as far as he knows. She waived her right to a pre­lim­in­ary tri­al, Mayes said, and was re­leased on $8,500 bail. He ad­ded: “She’ll end up tak­ing a plea and prob­ably won’t go to tri­al.” In ad­di­tion to the fraud­u­lent tax re­fund, po­lice found that Sesay had also re­ceived a de­pos­it linked to a ro­mance scam. She is charged with re­ceiv­ing stolen prop­erty.

It seems most likely that Sesay was merely a small part of a much lar­ger op­er­a­tion. In his email to Kasper, Mayes noted: “You still have to con­tend with the fact that she may be telling the truth and that someone else has ob­tained your per­son­al in­form­a­tion.”

Du­bi­ous solu­tions

Mi­chael Kasper re­ceived his ac­tu­al tax re­fund on May 12, along with a let­ter con­firm­ing that this was a case of iden­tity theft. “But I don’t know if they ever tried to pro­sec­ute any­one,” he said, “or iden­ti­fied wheth­er it was from over­seas or what.” And the IRS was not in­ter­ested in what Kasper had found out about his case.

“I even tried to call them back and say, look, some­body’s been ar­res­ted, here’s some ad­di­tion­al in­form­a­tion,” he said. “And they lit­er­ally would not take that in­form­a­tion when I called. They said, ‘We do not ac­cept tips on iden­tity theft.’”

The IRS has yet to con­firm or deny wheth­er the fraud com­mit­ted against Kasper was part of the lar­ger scam. However, like the 334,000 vic­tims of that scam, Kasper has re­ceived a spe­cial “Iden­tity Pro­tec­tion PIN” from the IRS, which he will have to use to con­firm his iden­tity on fu­ture fed­er­al tax re­turns. He ar­gues it’s not a se­cure solu­tion.

“I already know that who­ever got my tax tran­script can also get my iden­tity PIN the same way,” he said. “They have the same au­then­tic­a­tion on the web­site to get the iden­tity PIN as they do for the ‘Get Tran­script.’ So I don’t know what’s go­ing to stop someone from fil­ing again as me next year.” Fu, who has gone through the lo­gin pro­cess for re­triev­ing an IP PIN, toldQuartz the pro­cess is in­deed sim­il­ar, and pos­sibly even slightly less se­cure.

The IRS did not com­ment on that, but did send Quartz a state­ment out­lining the se­cur­ity be­ne­fits of IP PINs. For one, it said, ac­cess to an IP PIN it­self “does not ex­pose tax­pay­er Per­son­ally Iden­ti­fi­able In­form­a­tion.” (It doesn’t grant ac­cess to oth­er per­son­al data, in oth­er words.) Also, tax­pay­ers who use IP PINs will be sent a new one in the mail each year, “pri­or to each tax sea­son—mak­ing it much harder for an iden­tity thief to ac­cess this in­form­a­tion.” That is, hack­ers would have a small win­dow—between the end of the tax year and the mo­ment a tax­pay­er files a re­turn—to try to steal the IP PIN. The state­ment ad­ded: “In ad­di­tion, we care­fully mon­it­or IP PIN traffic in or­der to re­spond swiftly to any po­ten­tially sus­pi­cious activ­ity.”

The IRS com­mis­sion­er, John Koskin­en, sug­ges­ted at June’s Sen­ate hear­ing that the agency will bring back the “Get Tran­script” page with stronger au­then­tic­a­tion, but did not say wheth­er KBA will be re­viewed across the board. A Gov­ern­ment Ac­count­ab­il­ity Of­fice (GAO) re­port in Janu­ary, be­fore the fraud was an­nounced, had noted the lim­it­a­tions (pdf) of the KBA pro­cess.

Koskin­en also said that, in cases where someone like Kasper needs a copy of a fraud­u­lent doc­u­ment filed un­der his name, the IRS has set up “a situ­ation where we can simply re­dact any third-party in­form­a­tion on a re­turn and give the tax­pay­er a copy of the fraud­u­lent re­turn so they’ll know ex­actly what was in there.”

Kasper sus­pects that means the IRS would re­move the only in­form­a­tion that led him to Wil­li­am­s­port, and that helped the po­lice there find Isha Sesay. “It would not sur­prise me at all if they do that,” he said.

Internal Revenue Service Investigations by fiscal year Atlas by Quartz

Left be­hind

For the IRS, the fraud prob­lem far ex­ceeds the $50 mil­lion lost in this one in­cid­ent. Ac­cord­ing to the GAO’s Janu­ary re­port, the IRS pre­ven­ted the loss of $24.4 bil­lion to fraud in 2013, but still lost a total of $5.8 bil­lion that year. And al­though the agency cur­rently has 81,000 full-time em­ploy­ees and an op­er­at­ing budget of $10.9 bil­lion, it ini­ti­ated only 4,297 crim­in­al in­vest­ig­a­tions in 2014—some 1,000 few­er than the pre­vi­ous year. Mean­while, the num­ber of soph­ist­ic­ated com­puter at­tacks na­tion­wide con­tin­ues to rise.

At the hear­ing, Koskin­en lis­ted sev­er­al reas­ons the agency is not ex­cel­ling in the realm of com­puter se­cur­ity. Its sys­tems are an­ti­quated, he said. Some of its ap­plic­a­tions “have been run­ning for 50 years.” Some of the soft­ware used at the IRS is no longer sup­por­ted by the people who made it. And the agency simply doesn’t have the funds in place, he said, to re­cruit top tal­ent from the private sec­tor.

He ad­ded: “It’s a dif­fi­cult chal­lenge com­pet­ing with or­gan­ized crim­in­als who have re­sources.”

As of mid-Au­gust, the IRS still had not con­tac­ted the First Na­tion­al Bank in Wil­li­am­s­port, nor the po­lice there who solved Kasper’s case.

×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login