14 DAY TRIAL // The US Internal Revenue Service (IRS) has been using a conceptually flawed system to protect the victims of its May 2015 data breach from abuse, and it's not working, as independent reporter Brian Krebs has discovered.
Last week, we reported that the IRS had amended the final tally of its May 2015 data breach, bringing it to a number seven times what it originally announced.
The breach happened through the IRS Get Transcript application, and the attackers managed to acquire the personal details of some US citizens.
The IRS said initially that only 100,000 US citizens were affected, then modified the number to 225,000, then to 390,000 in August, and then to 685,000 last week.
For all those people, the IRS provided a free year of credit monitoring services via Equifax. Additionally, all victims could also request the IRS to issue an Identity Protect PIN (IP PIN) by completing an online form. This PIN works just like a password, and all taxpayers who requested it had to enter it on all their tax return forms.
IRS Identity Protect PIN conceptually flawed
What the IRS didn't notice is that, if someone requests this PIN, or loses it and requests another one, the taxpayer must enter the same information or answer questions with the very same information that the IRS lost during the May 2015 data breach.
As Brian Krebs reported, something like this happened to many people across the country who discovered that the hackers employed the data stolen in the May 2015 data breach to reset IP PINs and use them to file fraudulent tax returns on their behalf.
This even worked for IP PINs requested even before the data breach. No matter when the IP PIN was issued, if the person's details were stolen in May of last year, the IRS' IP PIN protection system becomes irrelevant, leaving users exposed.