Cyber Incident Victim: Internal Revenue Service
Date:
Jan 2016
Location:
United States of America
Summary
A cyberattack targeted an electronic filing system, compromising credentials for over 100,000 taxpayers by exploiting previously stolen personal data through automated bot attacks. The attackers attempted unauthorized access on nearly half a million accounts, with the affected individuals being notified and their accounts flagged for protection; no internal systems were breached, though this incident follows a prior large-scale compromise of taxpayer information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2016, the US Internal Revenue Service disclosed a malware attack targeting its Electronic Filing PIN application, which resulted in the compromise of e-filing credentials for 101,000 taxpayers. Attackers utilized stolen personal data obtained from non-IRS sources to automate queries against the IRS system through an automated bot. This bot systematically attempted to generate Electronic Filing PINs—used to authenticate electronic tax returns—by submitting Social Security numbers and other personal identifiers. The attackers targeted 464,000 Social Security numbers but successfully acquired credentials for 101,000 individuals. The breach occurred in January 2016, with no evidence suggesting IRS systems were the source of the stolen personal data used in the attack. Upon discovery, the IRS flagged all affected taxpayer accounts to prevent unauthorized e-filing and initiated mail notifications to inform impacted individuals. The agency collaborated with other government entities and industry partners to investigate the incident and mitigate its effects.
This incident followed a separate 2015 breach where attackers compromised the IRS’s Get Transcript application, initially exposing data for approximately 100,000 taxpayers before revised estimates tripled that figure to 300,000. The 2016 attack highlighted how external data breaches—such as those affecting the US Office of Personnel Management, Anthem, Premera, CareFirst, and Excellus—could furnish attackers with sufficient personal information to compromise unrelated systems. The IRS acknowledged the possibility that its initial estimate of 101,000 affected taxpayers might increase following further investigation, mirroring the upward revision pattern observed in the 2015 incident. Both breaches demonstrated attackers’ ability to leverage stolen identity data at scale, though the 2016 attack specifically exploited automated credential-generation tools rather than direct infiltration of IRS databases. The agency’s response focused on securing compromised accounts and coordinating with external partners, with no additional taxpayer data reported as exfiltrated from IRS systems during the event.