The IRS (US Inland Revenue Service)
US taxpayers had their tax return data stolen by cybercriminals who tricked the IRS into paying them tax refunds Reuters

The Internal Revenue Service (IRS) in the US has admitted that cybercriminals have succeeded in stealing the data of over 100,000 taxpayers, as part of a scheme to steal people's identities in order to claim tax refunds fraudulently.

From February to mid-May, the cybercriminals managed to steal the details by manipulating the Get Transcript API, which enables taxpayers to access previous tax returns they have filed from the IRS online database.

In order to access this information, a user would be given an online form and they would need to correctly fill in certain sensitive details, such as their date of birth, social security number, address and tax filing status, in order to pass the security screening.

Using sensitive personal details obtained from previous data breaches, the cybercriminals were able to get past the security, access the information and download the prior tax returns en masse.

"We're confident that these are not amateurs. These actually are organised crime syndicates that not only we but everybody in the financial industry are dealing with," IRS Commissioner John Koskinen told AP, adding that the Get Transcript function has been suspended for the time being.

Using data stolen from breaches to trick the IRS

In 2014, there were a multitude of data breaches plaguing US and US-based companies, such as the huge Target security breach and the Sony Pictures breach.

However, there were also a huge amount of data breaches affecting US healthcare services, such as Community Health System, Texas Health and Human Services Commission and the Los Angeles County Departments of Health Services and Public Health. Added together, the top five biggest health data breaches in 2014 affected almost 7.4 million US citizens.

"Cybercrime is an economy like any other – it is driven by financial gain. When we started seeing the healthcare breaches, many people wondered why the attackers were after this information versus credit cards like we have seen with Target and other retail breaches where the monetisation strategy was more clear," Ken Westin, a senior security analyst at Tripwire told IBTimes UK.

"Here we are seeing the cycle, where social security numbers and other data is used to get additional information from the IRS and other sites, this data will in turn be used to file fraudulent tax returns next year where criminals have been successful in the past."

The IRS says that in 2013, it paid out $5.8bn (£3.8bn) in fraudulent refunds to identity thieves, which are usually sent electronically to prepaid debit cards or bank accounts.

Westin adds that the increasing numbers of large-scale data breaches are now turning the private information of citizens into public information and, as such, governments might have to stop using this data for security or authentication checks.

"This is going to take a partnership with private industry – we are all in this together," he said.

"Industries need to work together with government agencies to identify better ways of not only securing this data, but also making the fraud that powers it less lucrative for the criminals."