A full review of a breach of the Internal Revenue Service's Get Transcript app earlier this year showed that intruders accessed three times as many records as first thought and could have personal information on five times as many taxpayers.
Back in May, the IRS reported that hackers had gamed the agency's multifactor authentication system to gain access to more than 114,000 taxpayer records, namely past tax returns stored in the online Get Transcript app.
The deeper dive showed more than 330,000 taxpayer accounts had likely been accessed (an additional 220,000 from the initial report).
The IRS also said an additional 170,000 unsuccessful attempts were made. Though malicious actors weren't able to get any information out of the IRS system on those attempts, the agency will still be sending letters to those affected, letting them know their information might be in the hands of fraudsters.
All told, the IRS will be mailing some 500,000 letters over the next few days.
"A wide variety of actions to protect taxpayers are being taken beyond the mailings, including offering taxpayers free credit protection as well as Identity Protection PINs," the IRS said in statement Monday. "The IRS takes the security of taxpayer data extremely seriously and we are working to continue to strengthen security for 'Get Transcript,' including by enhancing taxpayer-identity authentication protocols."
The Get Transcript app has remained offline since the initial breach was reported in May.
Hackers' ability to use social media and other publicly available data repositories underlines the need to strengthen security measures beyond personal questions and passwords.
"This is a perfect example of how unrelated data breaches imperil us all," said Ken Westin, a security analyst at Tripwire. "The information that was used such as Social Security numbers, date of birth, tax filing status — married or not — and street address is the same type of information that we have seen compromised by Anthem and a handful of other breaches."
Westin noted defining the full scope of these kinds of breaches can be particularly difficult, as the attackers used legitimate online forms, rather than just stealing an entire database.
"The data used to perpetrate this attack was originally harvested from multiple sources, including open source data and data from other breaches," he said. "In this case the criminals were able to quickly correlate disparate data sets to create complete profiles; once this was completed they then automated the IRS 'Get Transcript' form submission to extract additional information that can then be used to file fraudulent tax returns."
IRS officials said the investigation will continue, led by the Treasury Department inspector general for tax administration and the IRS Criminal Investigation unit.