Cyber Incident Victim: Internal Revenue Service

In May 2015, the Internal Revenue Service disclosed a breach of its Get Transcript application, initially reporting unauthorized access to approximately 114,000 taxpayer accounts. The attackers exploited this online service, designed to provide users with detailed tax return information, wage data, and income records for specific tax years. To gain entry, the hackers utilized personal taxpayer information acquired from external sources to correctly answer multiple identity verification questions required by the system. This authentication bypass enabled access to sensitive financial data, though the IRS initially could not confirm whether information was extracted from every compromised account. The Get Transcript service was immediately disabled following the discovery of the breach in May. The incident highlighted vulnerabilities in knowledge-based authentication systems, which can be defeated when attackers obtain sufficient personal details about targets through other means.

By August 2015, further IRS analysis revealed the breach's scope was significantly larger than initially assessed. A comprehensive review of over 23 million Get Transcript transactions during the 2015 filing season identified an additional 220,000 potentially compromised accounts, bringing the total to 334,000 affected taxpayers. The agency also documented 281,000 unsuccessful hacking attempts where attackers failed authentication checks—111,000 identified in May and 170,000 discovered during the expanded investigation. The IRS initiated notifications to all potentially impacted individuals via mailed letters and offered free credit monitoring services alongside Identity Protection PINs to mitigate risks of identity theft. No specific attribution or motive for the attack was disclosed in the available reporting, and the service remained offline pending security improvements.