'Organised crime syndicates' hack IRS and steal personal data of 100,000 taxpayers

'We're confident that these are not amateurs' says IRS commissioner John Koskinen

The Internal Revenue Service (IRS) - the United States government agency responsible for tax collection - has fallen victim to "organised" cyber criminals who are reported to have stolen personal information on about 100,000 taxpayers between February and May.

While the data breach isn't as large as the one against US healthcare firm Anthem, which affected up to 80 million people, the attack against the IRS is significant as hackers have been able to gain access to full tax return transcripts, containing vast amounts of personal information and leaving victims open to identity theft.

"The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorised access to information on approximately 100,000 tax accounts through IRS' ‘Get Transcript' application," said a statement released by the IRS.

The statement goes on to suggest that the hackers may have held some personal data about their victims before the breach, as the nature of IRS authentication means information that should only be known to an individual has been used in the process of the hack.

"These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process," the statement said.

According to the IRS, some of the information the hackers may have had access to before attacking include "social security information, date of birth, tax filing status and street address" along with "several personal identity verification questions that typically are only known by the taxpayer".

That suggests that those US taxpayers who have been affected by the breach may have been victims of phishing attacks or malicious, data stealing malware in the run-up to the breach.

"We're confident that these are not amateurs," said IRS commissioner John Koskinen. "These actually are organised crime syndicates that not only we but everybody in the financial industry are dealing with."

Given the nature of the breach, the US Congress is already pushing for more information about how the attack was able to occur to be released and asking why more precautions have not been taken, despite warnings.

"That the IRS - home to highly sensitive information on every single American and every single company doing business here at home - was vulnerable to this attack is simply unacceptable," said Senator Orrin Hatch, chairman of the Senate Finance Committee.

"What's more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves," he added.

Eric Chiu, president and co-founder of web security firm HyTrust, called the IRS data breach a "wake-up call" which shows that "the stakes are getting higher".

"Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals," he said.

"The outcome of this could be devastating to consumers - attackers can potentially open new accounts, siphon off funds and ultimately steal the identities of the victims. Attackers are getting more sophisticated and cyber security presents a huge risk to our economy," Chiu continued.

"It's clear organisations need to do more to protect against this threat," he added.