"We're confident these are not amateurs [but are] actually organized crime syndicates that not only we but everyone in the financial industry are dealing with," Koskinen said.

The IRS, in a statement, said the criminals "gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer."

The agency said the Treasury inspector general for tax administration and the IRS's Criminal Investigation unit are reviewing the breach.

"The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed," the IRS said.

Apparently, other IRS databases, including the main tax filing submission system, are unaffected.

The IRS break-in is just the latest assault on government systems. Last week, the Federal Reserve Bank of St. Louis confirmed that hackers hijacked its domain name servers in April, and warned of a potential data breach as well as exposure to malware.

The attack redirected web searches and queries for those seeking a variety of domains run by the government entity to a web page set up by the attackers in an apparent bid to hijack online communications of banks and other entities dealing with the regional Fed office.

The NCUA website, targeted by hackers in March, also set up a fake site that used design elements from the NCUA's site. The government's Internet Crime Complaint Center issued a warning about the practice in early April.

As of May 19, the number of breaches captured on the ITRC 2015 Breach Report totals 304 data incidents. This represents a dip of nearly 4% in the number of breaches from last year's total for the same period (316).

"As per always, we should be looking to understand, what was the root cause of these account take overs?" John Zurawski, vice president at Chicago-based Authentify, said. "There's a strong likelihood that it's poor user authentication and unfortunately, a total lack of compliance with the last presidential directive on cybersecurity for government servers that contain PII."

Zurawski added there is nothing new or unique about this incident; it is a problem for which a solution exists, and the key from now until forever is out-of-band.

"The answer is to require an out-of-band, phone-based authentication post-login of sensitive events or dual approval for some events, for example, creating an account to interact with a United States government agency like the IRS," he said. "In financial services and e-commerce, it's becoming more common to contact an end-user out-of-band, via telephone call, SMS message or secure messaging via a smart app to present transaction details and ask for confirmation. This workflow beats the 'wolf in sheep's clothing,' or, the imposter who has somehow obtained valid credentials."