Stolen Personally Identifiable Information Loses IRS Millions

Greg Edwards

  Big data, little data, personal data or PII, data is everywhere. The digital world is awash with your data and it is getting into the hands of the wrong people.


Cyber security is being compromised left, right and center. In recent years there has been a spate of attacks that have resulted in the loss of personally identifiable data. To give you an idea of the types and levels of these cyber attacks, I’ll show you just a few attacks initiated through malware. These are the ones that made the headlines, many, many others haven’t. In our line up we have:

Target Corp: Target was the ‘target’ of hackers in 2013 when they stole over 70 million customer records, including personal details such as name, address, and debit and credit card details. This security breach was one of the largest in history and class action lawsuits are still being fought by the customers affected.

Neiman Marcus: Around 1.1 million payment card details held on behalf of customers were compromised by hackers in 2013.

Home Depot: Hackers breached the security protection of Home Depot in 2014 compromising around 53 million credit cards and they stole 56 million email addresses, email addresses that subsequently can be used for phishing attacks.

Living Social: This daily deals site owned by Amazon had around 50 million customer records breached by hackers in 2013. The records contained personally identifiable information (PII) including email addresses, birthdates and even poorly encrypted passwords.

Anthem: The Anthem attack of 2015 was a massive breach of personal data. Anthem, who runs various U.S. healthcare plans had between 60-70 million user records breached. These records contained personally identifiable information (PII) such as social security numbers, addresses, email addresses, dates of birth and so on.

The above represent the tip of the iceberg. However, the data stolen, especially that which falls into the camp of personally identifiable information or PII, e.g. date of birth, social security number, name and address, is aggregated by hackers and shared amongst the hacking community. These data are very valuable. Payment card details may be useful until that card is stopped, but PII is persistent and can be re-used to propagate hacker attacks. It is stolen PII that is the most likely reason for the recent attack on the IRS.


The IRS attack was based on using stolen PII to go through a multiple step authentication process. During this process, the user is asked some knowledge based questions such as ‘What is your social security number?, and ‘What is your date of birth?’. Because hackers had already stolen PII from a multitude of U.S. based sources, such as those mentioned above, they simply had to aggregate that information to create a user profile. Once the hackers had this information they then went to the IRS online system and requested tax returns and related filings. In the end, the hackers made almost $50 million worth of fraudulent claims, which the IRS paid out in refunds.

There are methods that the IRS could have used to prevent these types of breaches. Multi-factor and out of band authentication is one of those, or using knowledge based questions not based on PII, but instead being based on knowledge you have about your recent use of the IRS system, or similar (banks and credit reference agencies often use this type of method to check a person).

However, ensuring that your customers PII is correctly protected and minimally used, i.e. only if really needed do you keep a copy of the data, is the best way to prevent these sorts of breaches.

One method that should be used to prevent a PII breach is through prompt patch management. You need to keep software updated and patched to prevent hackers from taking advantage of software vulnerabilities and inserting malware, the method used to steal data onto your computers and network.

It not only protects your customers but it protects you from large fines, too. Data breaches, where personally identifiable information is lost, can be costly. Anchorage Community Mental Health services were fined $150,000 when they were breached and 2,700 customer records were stolen.

Patch management gives you peace of mind and software like the WatchPoint Security Platform gives you the tools to carry this out, effectively, efficiently and without you needing to have specialist staff.

Share this:

Entrepreneur Link



Subscribe to Email Updates

Recent Posts

Posts by Topic

see all