IRS tax bods tell Americans to chill out about Equifax

Your personal data was probably already in crims' hands

By Richard Chirgwin


The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.

Commissioner John Koskinen, discussing whether the breach would interfere with tax collection, told journalists “a significant percent of those taxpayers already had their information in the hands of criminals”, according to a report of a Q&A session after a speech at the Service's "Security Summit".

In his prepared remarks, the commissioner said "We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft. This dramatic decline helped prevent hundreds of thousands of taxpayers from facing the challenge of dealing with identity theft issues."

But that still leaves as many as 100 million individuals at risk of Equifax-sourced data giving them problems beyond the IRS. Koskinen added that Americans should assume their data is in criminal hands and act accordingly.

As we reported at the time of the mega-breach, not everything Equifax knew about Americans was leaked: “only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans”.

It later emerged that the patching error that left the credit reporting company trouserless was common, with estimates that as many as 50,000 organisations downloaded still-vulnerable Apache Struts 2 packages after the software was patched against CVE-2017-5638.

Koskinen promised taxpayers the IRS wouldn't end up on the breach list, given how much “sensitive personal information has fallen into the hands of criminals recently”.

The Register decided a reality test was in order, and asked Troy Hunt (who maintains the HaveIBeenPwned database of breached accounts) whether Koskinen's remarks ring true.

“I think that would be just under one-third of the population … it may be fractionally on the high side,” Hunt said.

However, any general statement that “what's technically called a sh*tload” of Americans were already pwned is “probably accurate”. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Exposing 145m Equifax customer deets: $240m. Legal fees: $28.9m. Insurance: Priceless

Data breach cost biz $70m this quarter alone

Nothing matters any more... Now hapless Equifax bags $7.5m IT contract with US taxmen

They're just trolling us at this point

Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLION

Updated Brits will be warned by post, agency says

Symantec shares slump after revealing internal investigation

It's not a security problem, but full-year results will likely be late

Hacked Brit shipping giant Clarksons: A person may release some of our data today

But ... we won't 'be held to ransom by criminals'

Shocker: Cambridge Analytica scandal touch-paper Aleksandr Kogan tapped Twitter data too

But it's public anyway so selling access is fine, cheeps network

Adobe fined a whole million dollars for 2013 mega-breach

Try getting your Board to take security seriously when perps are flogged with wet lettuce

Oracle sued over claims of shoddy service, licensing designed to force adoption of its kit

A&E Adventures sues Oracle America for breach of contract over point-of-sale shenanigans

Leaky credit report biz face massive fines if US senators get their way

That Equifax hack would have cost the outfit $1.5bn

Suffered a breach? Expect to lose cash, opportunities, and customers – report

Cisco research paints a grim picture of corporate defences