On 28th May 2020, Ireland’s Revenue Commissioner released a statement confirming a personal data breach. Ireland’s taxation authority declared on its website that unidentified fraudsters had accessed personal data of thousands of taxpayers as a result of an SMS text messaging scam.
Around 3,000 taxpayers were in receipt of a text message carrying a link to a fraudulent website seeking personal information. The text message claimed to be from the Revenue Commissioners. However, Revenue has clarified that, no such text message was forwarded or addressed by them to any of the taxpayers. Revenue is concerned that the fraudsters may have unlawfully accessed the ‘myAccount’ user profile of several taxpayers. Account holders may have provided personal data like PPSN, Date of Birth and the password to ‘log-in’ to their respective accounts. Also, the said user profile holds the bank details of the taxpayer.
Revenue’s chief information officer John Barron said: “Following an investigation by Revenue’s IT Department into this latest scam, we are contacting approximately 3,000 taxpayers to make them aware of our concerns that their personal details may have been accessed, the possible serious implications for them and to set out some practical things they can do to minimise the extent of any fraud perpetrated against them.”
Also, Mr. Barron stated: “It is important to note that the security of Revenue’s systems has not been compromised in any way. However, the nature of this particular type of scam has led to some taxpayers unwittingly compromising the security of their personal myAccount profile details by providing information such as their PPSN, Date of Birth and myAccount password to fraudsters. This occurred after the taxpayer clicked on a link, in a text sent by fraudsters, which purported to be the Revenue ‘myAccount’ log-in screen”. He also warned that the potential risk of personal data falling in the wrong hands has made taxpayers vulnerable to further compromised personal data, including bank details saved in the MyAccount system.
To help mitigate the risks to the individuals, Revenue issued a letter (example here) to the affected taxpayers notifying them that their respective ‘myAccount’ user-profile has been temporarily deactivated and providing a set of next steps to be followed.
Revenue has regularly been alerting the taxpayers about such fake and fraudulent acts. Revenue never issue text messages or email seeking personal information.
Read here: Easyjet Data Breach: Will it cost millions?