Hacking the IRS History

In February, some of that data began working its way back out of the building, so much so that by May, the personal information of more than 100,000 taxpayers was on the loose and expecting refunds. Fortunately, only about $50 Million in refunds had followed the data out the door before the breach was sealed. Unfortunately, a breach in 2013 saw $5.8 Billion make like Elvis and leave the building. Billion, with a B.

Investigation of the recent incident revealed that over 200,000 attacks were made on Get Transcript, a secondary site containing IRS data, but the barriers to entry were substantial. Hackers needed a good bit of personal information to access the target data, including Social Security numbers and prior-year tax filing details, suggesting a sophisticated operation using patient methods typical of Advanced Persistent Threats, or APTs. Phishing scams and social engineering are a couple of the backbone techniques of APTs, and ones you probably witness every day.

Hackers deploying APTs invest heavily in attacks on data-rich targets — and the IRS is arguably one of those targets — having run the cost-benefit analysis that separates them from SPAM artists and rogue televangelists. After all, business is business. Only next time, their business might be your business. Statistically speaking, they’re already knocking on your door, working the social media connections, smiling at the receptionist, pinging the right email accounts, collecting tidbits of data to aggregate against you.

So the hackers are already investing in your business. The question is, are you?