The IRS has been known to take funds from negligent taxpayers' bank accounts. Now, criminals are returning the favor with a malicious twist.

The IRS confirmed on Tuesday that criminals used taxpayer-specific data Relevant Products/Services acquired from outside sources to gain unauthorized access 100,000 tax accounts through its “Get Transcript” application. This data included Social Security information, date of birth, and street address.

According to the IRS, the hackers gained enough outside information before trying to access the IRS site, allowing them to clear a multi-step authentication process that included several personal verification questions typically only the taxpayer knows.

“The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the ‘Get Transcript’ application has been shut down temporarily,” the IRS said in a statement. “The IRS will provide free credit monitoring Relevant Products/Services services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident Relevant Products/Services.”

The Changing Market for Stolen Data

We asked John Gunn, Vice President at digital security Relevant Products/Services firm VASCO Data Security, for his perspective on the latest security headline. He told us the IRS attack Relevant Products/Services has remarkable similarities to last summer’s Apple hack -- there were a large number of successful compromises of an unsound security infrastructure Relevant Products/Services that resulted in breach-like consequences.

“This highlights the change that has occurred in the market for stolen data,” Gunn said. “Social Security Numbers are becoming the primary high-value target of hackers because they are worth 10 times as much as credit cards and they are protected by a fraction of the security of banking assets.”

As Gunn sees it, this trend must change or we will see an increasing number of victims. The IRS hack, he said, also begs a serious question: Why does the IRS offer enhanced security only to those who have had their information stolen?

“Why not use a simple one-time-password (OTP) solution to keep everyone else from joining the growing ranks of identity theft victims?” he asked. “OTP security has been proven very effective by large global banks.”

From Personal to Public Information

We also turned to Ken Westin, senior security analyst for advanced threat detection firm Tripwire, to get his take on the fall out. He explained that we now live in a world where the Internet has become a “database of you” and where one data breach can easily feed another.

“According to the IRS, the data came from questionable e-mail domains and at a high velocity of requests,” Westin said. “The information that was used to bypass the security screen, including Social Security numbers, dates of birth, and street addresses, are all components of data that have recently been compromised in health insurance data breaches.”

Westin said tax filing status can be identified pretty easily if you know whether the person is married or not. Unfortunately, he concluded, the high number of large scale data breaches has essentially transformed our personal information into public information -- and this data should not be used as security or authentication checks.”