Last week, the IRS experienced a data breach affecting more than 100,000 citizens. The hackers accessed an IRS online system in order to obtain the personal information of taxpayers. News on this story has since generated a huge amount of coverage in major news outlets. Upon disclosing the attack, the IRS also stated the matter was under review by the Treasury Inspector General for Tax Administration as well as the IRS’s Criminal Investigation unit.
Before we move forward, a quick recap of how this played out. The perpetrators are believed to have stolen personal information (personal information that was likely gathered from previous data breaches), which then allowed them to pull tax transcripts from the IRS’ “Get Transcript” application. This vicious cycle is likely to continue, as those transcripts contain more personal information that can – and will – be exploited elsewhere for financial benefit.
This attack yet again sheds light on the data security gap. In this case, certain information was used by adversaries to access tax records by impersonating the authorized user. How? Because they had sufficient information about the person from whom they are seeking tax information. Likely, data security holes existed in the places where the adversaries stole the personal information they used for the IRS Get Transcript application.
Additionally, it’s clear the IRS Get Transcript application makes it far too easy for someone with certain stolen personal information to impersonate someone. The Get Transcript application thinks the user is who they say they are, and sends the detailed transcript info.
Below, I’ve explored the ramifications of the breach, flaws in technology that lead to the breach and the most important lessons the IRS/other organizations can and should learn when it comes to data security and authentication practices.
The Impact on the IRS, Consumers and Public Trust
The IRS already has its work cut out for it; it’s arguably one of the most despised government agencies in existence. This situation will not help it with reputational, legal or political battles.
On top of already eroding public trust, the agency bled money throughout the infiltration. According to Koskinen, fraudulent returns were able to claim $50 million in refunds before it was detected by staff. In case it isn’t clear, this was able to happen because fraudsters impersonated customers through the Get Transcript application and then filed for fraudulent refunds.
Additionally, the 100,000+ people impacted by the attack have some steep hurdles to overcome. For starters, the free credit monitoring services being offered to help consumers keep track of their credit does not track fraudulent claims on government benefits. So, while Audrey from Los Angeles might benefit from knowing whether or not her credit score experienced a dramatic drop, she won’t have insight into the fact that Mike from Pittsburgh is using her personal information to apply for unemployment.
As if consumers don’t already have enough to worry about, the attack draws attention to two demoralizing realities:
- Information stolen from one breach can be used to steal information from other systems in the same or other organizations
- The weak design of some web-facing applications makes it far too easy for a “user” to “identify” themselves
What Went Wrong
As I mentioned above, the IRS attack highlights how previous breaches of data can continue to haunt people long after the actual event. In this case, hackers leveraged previously stolen social security numbers (SSNs) to both access previous year’s tax data and to fraudulently apply for tax returns. The SSNs could have been stolen, or purchased from a black market site, at any time before the attack was started.
Some of the blame has to lie with the institutions that originally lost those SSNs. If widely available, proven protections for data are in place (file or application-based encryption, access controls, data access monitoring or tokenization), it becomes much more difficult to steal the information that was used in this breach. Sadly, once data such as an SSN, bank account number or driver’s license information is stolen, people remain vulnerable long after the original breach occurred.
But, blame also lies with the IRS. Needless to say, Get Transcript was designed with a weak authentication methodology.
As of Tuesday, the IRS was expected to soon announce an agreement with tax-preparation companies which would, according to the Wall Street Journal, “improve authentication of the people using tax-filing systems; to strengthen the industry’s ability to check for broad indications of fraud; and to communicate those trends to the IRS, according to a person familiar with the matter.” In the same article, the IRS’ John Koskinen also stated agency official would offer “short-term solutions to help better protect personal information in the coming tax filing season, and to continue to work on longer-term efforts to protect the integrity of the nation’s tax system.”
In our opinion, short-term solutions are not enough – not for the IRS, or companies that have sensitive information at their disposal.
In the case of the IRS, we know the agency has requested additional funds for combating identify theft and fraud. What’s important here is how the money is being spent. According to Computerworld, “the IRS’ funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015 -- a drop of more than 20%.” If this is the financial reality the agency must contend with, there is an urgent need to take the smartest approach possible.
Understanding there are complex political, financial and bureaucratic factors that affect government IT policy, here are some key takeaways:
- Compliance is not enough. If you’re thinking “Alan, it’s about that time you got this tattooed somewhere,” well, fine. We cannot underscore this enough. Many government agencies live and die by compliance standards put in place years and years ago. That’s because most compliance standards take years to evolve. A CBS article posted on Tuesday quotes J. Russell George, Treasury inspector general for tax administration (TIGTA), as saying “the IRS hadn't implemented 44 of his department's recommendations to improve computer security, 10 of which were more than three years old.”
- The IRS (and other organizations) need to “think like a hacker.” Not like a government beauracrat with a GS-13 pay grade and two more years until retirement. Questions that should be asked include:
- How can I design an application to combat against data loss assuming an adversary exists in the wild with stolen personal information?
- How would they (the hacker) design their application differently?
- What enhanced identity management should the Get Transcripts application have employed? If you’re thinking like a hacker, you’d do a better job designing this, and other applications.
As for companies responsible for storing and securing sensitive data – as in, the type of data the IRS fraudsters used to impersonate others – encrypt, encrypt, encrypt. Given today’s threat environment, encrypt everything possible, everywhere possible. If you don’t, it will come back to haunt you. At this point, it’s practically a promise.