Cyber Incident Victim: Internal Revenue Service
Date:
Feb 2016
Location:
United States of America
Summary
The Internal Revenue Service experienced multiple security breaches targeting its electronic filing PIN system, which was designed as an identity protection measure for previously victimized taxpayers. Attackers exploited weak knowledge-based authentication mechanisms using stolen personal data, including Social Security numbers, names, and addresses, to automate fraudulent PIN retrievals. This resulted in unauthorized access to approximately 100,000 PINs, enabling potential tax fraud through falsified returns. The agency initially implemented additional defenses like IP monitoring and return scrutiny but ultimately discontinued the compromised PIN system entirely due to persistent automated attacks and inherent vulnerabilities in the retrieval process.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Internal Revenue Service (IRS) experienced multiple security incidents in 2016 involving its electronic filing PIN (e-File PIN) system, designed as an Identity Protection (IP) PIN for taxpayers previously victimized by identity theft. Following an initial breach discovered in March 2016, the IRS suspended the PIN system after confirming unauthorized access to approximately 800 taxpayer accounts. The e-File PIN system allowed users to retrieve their six-digit authentication codes via IRS.gov or phone by answering knowledge-based verification questions, such as past addresses or mortgage payment details—a method previously criticized by the Government Accountability Office for vulnerability to social engineering and data breaches. Despite this suspension, the IRS permitted taxpayers who already possessed IP PINs to continue filing returns normally. The system remained structurally integrated with most commercial tax software, complicating its removal.
In February 2016, attackers launched an automated bot attack targeting the "Get My Electronic Filing PIN" portal using 464,000 stolen Social Security Numbers (SSNs), names, addresses, filing statuses, and birth dates obtained from external sources. This attack succeeded in acquiring 100,000 PINs before the IRS blocked the bot. The agency implemented additional defenses, including enhanced IP address monitoring and backend safeguards, while continuing to allow PIN retrievals. By June 2016, accelerated automated attacks prompted immediate termination of the e-File PIN program. The IRS cited "additional questionable activity" affecting a limited number of PINs but emphasized that its upgraded detection mechanisms identified the threats. No taxpayer data was exposed through the PIN tool itself. The agency had previously collaborated with tax software providers to phase out the system, accelerating this timeline due to persistent threats. Affected taxpayers were not charged with penalties for filing delays caused by the incidents.