There is big, big money in tax fraud and apparently the Russians know it. The evidence is pouring in and it looks like the Russians are responsible for the recent IRS data theft case. According to the IRS, nationwide crooks steal $6 billion in tax refunds from state and federal returns. Well, The IRS has reported that they lost data for over 100,000 taxpayers May 26, 2015. This theft was able to take place (in the first place) because of the hackers already were in possession of stolen names, addresses and social security numbers that were obtained from the many data breaches earlier this year. One such breach was the Anthem Insurance data breach.
Upon further review, (ha-ha) the IRS said that it was not really a hack job but instead it was their own weak authentication process that was at fault. So the IRS has been using a weak authentication process to protect your tax data and because of that the hackers were able to get your info using the stolen taxpayer records mentioned above. I wonder what level of sophistication they use for their data? Ya know, the data that they are holding on the taxpayers of the USA. Don’t even think they don’t accumulate as much private info on taxpayers as is possible above and beyond what you supply them in your returns.
The IRS has also stated that it has closed the online service application called The Get Transcript app. The IRS noticed a lot of unauthorized activity on the service that is used to help taxpayers obtain past tax records online. They have stated: “this sort of activity indicates that unauthorized third parties had access to some people’s accounts.” They have really thought this through. They have a method of validation and it is as weak as their encryption. So, in order to use this service you are subjected to a question and answer session used to validate whether you are the person you are claiming to be. They ask questions like “who held your last mortgage?” and “what streets have you not lived on?” The problem right away with this method is that this information is readily available on your credit report. This is tax fraud and as I said earlier, it is big business and the problem is that this information can easily be obtained by anybody adequately motivated to obtain it.
The IRS reported this breach and then did what it seems every organization that has a breach is doing: they are offering free credit monitoring in order to further allowing you to keep an eye on these accounts and to see if they are being used on any further theft attempts. I’m sure that made them feel better. It didn’t do much for the victims. The victims should be taking advantage of the availability of free credit reports annually anyway. So my problem with all of this is, well, this: It seems to me the IRS is about as concerned with protecting our data as Anthem Insurance was earlier this year. They didn’t encrypt the clients information at all. Target was lackadaisical to the extreme leading up to their now infamous loss of their customer’s private data. I could go on and on with examples. In fact I have in previous blogs and podcast on “The Help Desk Podcast”.
I am currently working on a project that will bring a Technical glossary to this website. One of the terms is “leaky bucket”. It’s an analogy to a bucket with a hole in it. The amount of information that will leak out will be determined by the size of the hole in the bucket. Has anybody but me noticed how large that hole is when it comes to our private (financial and personal) data? Is this the state of the environment from now on? Unless organizations collecting our data do something these leaks can only get bigger. In future blogs (and podcasts) we will be talking about what these organizations can do to try to plug that “leaky bucket”. Whether thy do or not, well, is up to them.
This was just a thought, thanks.