For all our tax dollars, our data should be better protected

I don’t think I’ve ever met anyone who has had a positive experience with the IRS, or really anything remotely resembling praise for them at all.  Well, let’s see how much lower their opinion can get.  With the agency’s announcement last week that it had suffered a data breach that had compromised the personal tax information of 100,000 taxpayers, the IRS is just the latest organization to be hit. It’s just too bad this one happens to collect highly sensitive data about every American citizen and every company doing business here.  Initially, the IRS wouldn’t say whether they believed the attackers to be domestic or overseas actors, although on WednesdayCNN reported that it’s now believed Russian hackers are responsible for perpetrating the breach that lasted from February to mid-May.

Apparently, they accessed the data through the “Get Transcript” application, an online service run by the IRS that allows people to get their tax returns and other previous filings with the agency.  What was this system’s security, you ask?  The hackers needed a person’s information like Social Security number, date of birth, filing status and street address, followed by a security question—which, according to Google researchers, aren’t necessarily that secure and can be easy for thieves to guess.  Where they even obtained that initial information to begin with, is anyone’s guess.

In all, the criminals attempted to access the data of 200,000 taxpayers, and obviously were successful with half, getting the full tax return transcript of the affected victims.

Reaction from Congress has appeared suitably miffed, at least.  Senate Finance Committee Chairman Orrin Hatch (R-Utah) expressed outrage at the agency’s failure to protect the information, while noting that repeated warnings from top government watchdogs about its outdated and vulnerable data security systems “against the growing threat of international hackers and data thieves” went ignored.  The senator plans to summon IRS Commissioner John Koskinen before his committee this week for an explanation.  The FBI and Department of Homeland Security have also announced their own investigations into the breach, so ostensibly this incident is being taken seriously.  Considering the IRS’ computer security shortcomings date back to reports from 1997, however, it would have been nice had sufficient action been taken before now.

By: Jonathan Weicher