Data thieves apparently used an online service provided by the US government's tax collecting agency to illegally access tax return information from some 100,000 taxpayers, US Internal Revenue Service (IRS) Commissioner John Koskinen announced on 26 May.
From February to May, attackers sought to gain access to personal tax information 200,000 times through the agency's Get Transcript online application, which calls up information from previous returns, Koskinen told a news conference on Tuesday.
About half of those attempts were successful.
Affected taxpayers will be notified beginning this week, the IRS said. The agency will also provide free credit monitoring and protection for the victims, Reuters reported.
A criminal investigation is underway. The breach did not affect any IRS data outside the Get Transcript application, and the agency said it will boost security measures.
The data theft was largely intended to steal taxpayers' information to submit fraudulent returns next year, according to Koskinen. The agency believes that fewer than 15,000 fraudulent returns were processed as a result of the breach, likely resulting in refunds of less than $50m.
The IRS data theft differs from similar incidents in the past as it did not involve a computer hack. Criminals used taxpayers' personal information to access the system as it was designed to be used, the IRS said.
The attackers must have had a significant amount of information already about the victims, Koskinen said.
In addition to names, addresses and Social Security numbers, the attackers would have needed so-called "out of wallet" data: personal information such as a person's first car or high school mascot.
It was possible that identity thieves could get answers to those questions from individuals' social media accounts and compile them into searchable databases, Koskinen added.
The hackers were most likely sophisticated criminals, according to Koskinen.
"We're confident these are not amateurs. These are actually organized crime syndicates that not only we but everyone in the financial industry are dealing with," Koskinen said.
The IRS was originally alerted to the problem by unusual activity in mid-April, which marks the end of the annual tax-filing season.
The IRS security breach is the latest in a string of data thefts. Wall Street giant JPMorgan Chase, tech major Sony and mega-retailers Target and Home Depot have all suffered cyber attacks.