On August 17, 2015, the Internal Revenue Service (“IRS”) announced that a breach of U.S. taxpayers’ personal information, first disclosed in May, was three times worse than previously thought. While initial reports indicated that approximately 100,000 individuals’ records were accessed, the IRS now believes that 300,000 taxpayers were affected. 

The hack involved the IRS’ “Get Transcript” function, which was designed to permit a taxpayer to request his or her prior tax returns through a web interface using only the applicable name, birth date, Social Security number, filing status, and address for authentication.  In May, the IRS confirmed that hackers had used the Get Transcript feature to fraudulently obtain tax returns using personal information presumably stolen independently.  Following the initial detection, the IRS determined that 600,000 suspicious requests were made using the Get Transcript feature, and approximately half were successful.

As previously reported, the original announcement of the data breach attracted significant Congressional scrutiny, with both the House and Senate demanding briefings.  In its aftermath, the IRS disabled the Get Transcript web application, although the IRS continues to provide transcripts by mail.  The agency has also promised to offer credit monitoring to taxpayers affected by the breach.  However, the government has not yet identified any suspects.

Tuesday’s revised report from the IRS is an object lesson in the response to cyber-attacks, whether actual or suspected.  Often, the full scope of an attacker’s access will not be immediately apparent.  Because both initial detection and subsequent forensics can take significant time, it is often worth setting long retention periods for access logs.  More generally, the need to respond quickly must be balanced with the time needed to perform a full analysis of the suspected breach.