The malware successfully obtained 101,000 PINs last month.
Identity thieves tricked an Internal Revenue Service system into issuing them PINs under the names of other taxpayers so they could file for their victims' refunds, according to the tax agency.
The so-called e-file PINs are required to file federal returns electronically, if you are missing other acceptable types of identification such as your adjusted gross income.
On Tuesday night, the IRS disclosed that a "bot," essentially an automatic malicious program, entered Social Security numbers (stolen elsewhere) into the IRS system that generates e-file PINs. The malware successfully obtained 101,000 PINs last month using this maneuver. Whoever was behind the manipulation possessed a total of 464,000 stolen Social Security numbers but not all of them worked in the system, according to the IRS.
Agency officials said they have stopped the malicious usage of the system.
But at a Wednesday congressional hearing, the Senate Finance Committee chairman questioned IRS Commissioner John Koskinen about whether the hackers might still have access to the affected system.
"How can the IRS be sure it has fully identified and contained this attack and other attacks that may come?" asked Sen. Orrin G. Hatch, R-Utah, at a session on the agency's 2017 funding request. "Attacks of this nature can often result in malware or a virus being embedded in a compromised system even after an event is known."
Koskinen called the possibility of malware that can evade detection a serious question.
"The caliber of the enemy we are facing is increasingly more sophisticated and more global," he said. "We're dealing with organized crime syndicates all around the world."
No networks or systems were compromised in this instance or a similar gambit ID thieves perpetrated last filing season, however.
"None of those attacks breached our system itself -- in the sense that our database was accessed,” Koskinen said. The most recent case "was simply an attempt by criminals to get a filing PIN to allow them to in fact use information that they have stolen already to try to file a false return."
About a year ago, criminals gamed an online service called "Get Transcript" to view 334,000 taxpayers' records for similar ends.
The latest episode “is not connected or related to last week’s outage of IRS tax processing systems," IRS officials said in a statement, referring to a suspected hardware failure Feb. 4 that knocked agency computers offline, bringing e-filing to a halt.
The agency is notifying the affected taxpayers to inform them that someone else used their Social Security numbers. In addition, the IRS says it is flagging their accounts to counter tax-related ID theft.
E-file PINs are valid for a year.
Koskinen on Thursday thanked the lawmakers for allocating $290 million this year to reduce phone wait times for customer service, bolster network security and combat ID theft.
In the 2017 budget proposal, the IRS is asking for $90 million in additional funding to further deter fraud and reduce improper payments. The money would cover extra staffing and technology to, among other things, move away from relying on SSNs as an identifier and more quickly obtain W-2 employment tax forms from the Social Security Administration.