The IRS disclosed last week that it had been hacked, with over 100,000 detailed taxpayer records stolen. The hack used the “Get Transcript” service used by mortgage lenders to obtain applicants tax returns going back multiple years. The Get Transcript is now offline in the wake of the theft, but the thorny issue remains – just how could the IRS be hacked?
The technical details don’t really matter to my mind, what does is the low bar for security established by IRS policy makers.
No other document contains as much sensitive, financial and personal information as your tax records. A lot of medical providers may differ with me on this point, with patient health records and the information they contain. However, the point of data theft in both cases is primarily for financial gain, and tax records tell thieves where your money is, and in some instances, provides a road map to getting their hands on it.
In a statement the IRS declared that, “about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.”
Now that is more than a 50% success rate – better than 1 in 2 – and at this juncture, I am not going to trust that the IRS has got this right and potentially, more taxpayers could be affected than they currently believe.
In essence, this breach was less of a hack and more about social hacking, and it demonstrates the appallingly low standards set by the IRS with data security.
The mortgage system involved has some large, well-known and creditable vendors working with it. I’m not saying this is a good or bad thing necessarily, but in addition to the big firms, there are a host of smaller outfits who get access too. To become authorized to use the Income Verification Express Service (IVES) provided by the IRS, it is a very basic company information submission process with a tick in a check box that they will comply with taxpayer data security.
That’s it.
Part of the defense being mounted by the IRS revolves around the claim that there have not been data breaches with the IVES system before.
Thanks!
Just because no-one has robbed your house before, do you leave the doors and windows unlocked when you leave it?
I think the IRS needs to shake itself out of this complacent attitude towards taxpayer data security.
Hacking and cyber-crime are on the rise, and this trend is going to continue, but what disturbs me even more with this case is that the IRS knew of the danger.
The US Treasury Department conducted an internal investigation back in 2011, and the Inspector General concluded;
[taxpayer data] is at risk of theft or misuse when taxpayers submit IVES requests for tax return information through third parties because controls are insufficient . . . .
Further, the Inspector General also laid out the problem with IVES – inadequate screening of vendors and weak, minimal standards and requirements to get authorized to use the system. At the time the IRS agreed to improve data security, but in the wake of this breach, it will be interesting to see how many they actually implemented.
No matter what was implemented, and I suspect nothing was or minimal lip service paid to the security recommendations of the Inspector General, over 100,000 taxpayers now have their information in the hands of crooks.
The people responsible for this at the IRS should be fired.
I doubt that is going to happen.
IT systems are foundational to modern businesses. Too often, that foundation is unsteady. Unpredictable outages, insecure networks, and unreliable performance from mission-critical systems can jeopardize your entire business.
There’s a better way. Learn how.
Get in touch with us for a free consultation with one of our technical experts. We’ll review your current systems, assess your needs, and identify the coverage options to best meet them.
Get in touch with us by phone: