Cyber Incident Victim: Internal Revenue Service
Date:
Apr 2017
Location:
United States of America
Summary
The Internal Revenue Service experienced a cybersecurity breach where hackers impersonated students using an online financial aid application tool, potentially compromising personal data of up to 100,000 taxpayers. Attackers exploited the Data Retrieval Tool designed to transfer tax information into student aid forms, raising concerns that stolen data could enable fraudulent tax refund claims. The agency detected suspicious activity involving unfinished applications and temporarily disabled the tool during peak financial aid season, causing significant disruption. While fewer than 8,000 fraudulent returns were confirmed processed, notifications were sent to affected individuals. The incident highlighted ongoing challenges in strengthening cyber defenses amid resource constraints and evolving threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2017, the Internal Revenue Service disclosed a breach affecting up to 100,000 taxpayers through unauthorized access to its Data Retrieval Tool, an online system designed to help students and families transfer tax information to the Free Application for Federal Student Aid (FAFSA). Hackers exploited this tool by posing as financial aid applicants, potentially compromising personal data including tax details. The breach represented the most significant security incident since 2015, when criminals accessed tax returns of over 300,000 individuals to file fraudulent refund claims. IRS officials first identified potential vulnerabilities in the student aid interface during fall 2016 but delayed taking action until February 2017, when monitoring revealed an abnormal spike in incomplete FAFSA applications suggesting systematic criminal testing of the system. This detection prompted the IRS to disable the Data Retrieval Tool in early March at the peak of financial aid season, causing widespread disruption for legitimate applicants. Commissioner John Koskinen testified before the Senate Finance Committee on April 6, 2017, confirming the agency had intercepted the scheme early enough to prevent broader damage, though exact compromise figures remained unverified. The IRS estimated fewer than 8,000 fraudulent returns had been successfully processed using stolen data, resulting in illegitimate refund disbursements.
The agency initiated direct notifications to 35,000 confirmed victims while preparing alerts for up to 100,000 potentially affected individuals. System restoration timelines projected the tool would remain offline until October 2017 to implement security upgrades. Congressional scrutiny intensified during the hearing, with Senator Orrin Hatch questioning why the IRS waited months to suspend the tool after initial vulnerability assessments. Koskinen defended the delay as necessary to avoid prematurely disabling a critical service used by millions before confirming malicious activity. The breach occurred amid ongoing budgetary constraints that hampered the IRS's cybersecurity modernization efforts, with staff reductions compounding operational challenges. Political tensions surrounding Koskinen's leadership resurfaced during the incident, as Republican lawmakers renewed calls for his resignation over prior controversies unrelated to the breach. The commissioner reaffirmed his commitment to serve through his term's November expiration despite pressure, emphasizing taxpayer protection as the agency's priority while managing fallout from the intrusion.