The Internal Revenue Service revealed Tuesday that criminals accessed tax information for more than 100,000 taxpayers via an online system -- and they bypassed security screens using personal information like Social Security numbers and addresses, which experts say are routinely sold online between criminals for just a few dollars.
The IRS said that 200,000 taxpayers' accounts received suspicious login attempts, and half of those accounts were accessed. The attackers were able to look at taxpayers' filings because they "confirmed" their identities by entering personal data like Social Security numbers, dates of birth and street addresses.
"A lot of sites, including the IRS, have you register with this personal information -- and if you know that information, they assume you are the person you say you are," Jeff Williams, chief technology officer of app-security software maker Contrast Security, told NBC News. "Unfortunately, a lot of people can have that information: your health care providers, your bank, your school, the DMV. It's got to be thousands, maybe millions, of people who could theoretically get that information."
Data breaches at retailers like Target and health care providers including Premera add to the troves of personal data floating around online. These Social Security numbers, addresses and other identifying bits of info are then packaged into databases and sold between criminals in dark corners of the web. They can demand higher prices for their hauls by piecing together multiple types of personal information for specific targets -- making it easier for criminals to carry out more sophisticated thefts -- but single pieces of data like Social Security numbers can sell for $10 on their own.
"It sounds [like a] small [amount of money], but this is a type of crime that's done in bulk: the Costco of cybercrime," Ken Westin, senior security analyst at cybersecurity firm Tripwire, told NBC News. "It's a whole economy of its own for these criminal cyber syndicates."
Criminals can try to use this information to file fraudulent tax returns -- as the IRS suspects the criminals are planning to do in this case -- open credit cards to run up bills, receive medical treatments and commit identify theft.
Not every entry in these databases of stolen and sold sensitive information will work for criminals looking to score, Westin pointed out, but "they can get a few thousand dollars from a lot of targets, and maybe even tens of thousands from a few if the criminals get lucky."
The IRS is sending letters this week to the 200,000 taxpayers whose accounts had attempted unauthorized access, and the half of those people whose accounts were accessed will be offered free credit monitoring. The agency warned criminals may have accessed accounts with the intent of using them for identity theft next tax season.
"I'm surprised that people seem to be surprised this could happen to an IRS site -- as if the government can protect your information better," said Williams, the Contrast Security CTO. ""In truth the government typically outsources the building of these apps and sites, and they're not even close to the protection of financial services, for example."
It's consumers who suffer the most, though one expert cautioned victims not to panic.
"In reality, they shouldn't be too worried," John Gunn, head of communications at Vasco Data Security, told NBC News. If someone receives a letter, they should take a deep breath, relax and gear up for some annoying phone calls to straighten everything out. It's frustrating from an administrative standpoint, but there's not a serious financial risk."
But Westin, the Tripwire CTO, thinks people will be and should be "alarmed" if they find out they're one of the taxpayers affected -- but unfortunately for consumers, there is nowhere to channel that concern.
"The really tough thing is that there's not a lot people can do," Westin said. "You can't decline to give information to the IRS, and it's not victims' fault the information was compromised. It's about criminals trying to make money off of whoever they can."