Cyber criminals continually try to get into people’s myIR accounts. Last month Inland Revenue (IR) noticed a significant increase in malicious attempts to logon, with over 500,000 attempts.
IR believes two step verification, rolled out last year to give an added layer of protection, prevented access to most accounts. However, around 300 myIR accounts which did not have 2SV set up were accessed.
Those 300 accounts have been closed, and we are monitoring up to 900 accounts where a correct password was entered, but two factor authentication prevented access.
Inland Revenue is contacting the 300 affected customers to let them know we have noticed unusual activity on their account. That will be followed up with a letter letting them know what has happened and how to get support from us if needed.
We believe people had used the same credentials (username and password) on their myIR account as they use on other, less secure, sites.
Username and password combinations from less secure systems are frequently distributed and sold online, highlighting the importance of using unique passwords for every site.
We have implemented additional security measures and are talking with police and the National Cyber Security Centre. We have informed the Office of the Privacy Commissioner.
If anyone gets a message from Inland Revenue telling them there has been a new log on to their account, and it wasn’t them, they should contact IR.
Inland Revenue is urging people not to use the same password on multiple sites and to Set up two-step verification for myIR. myIR also supports setting up passkeys.