IRS Downplays Latest Data Breach

The IRS recently announced the unauthorized access into 100,000 tax accounts by cyber-criminals through the “Get Transcript” application on the IRS website.  Virtually every word in Commissioner Koskinen’s statement is calculated to either downplay the seriousness of the breach, deflect the blame, or put a Band-Aid on it, almost to the point that it causes increased suspicion.  It’s like when someone begins a statement with the words, “to be honest,” and you can’t help but wonder if they really are.  I will list everything the Commissioner said that could be taken that way and, of course, let you read between the lines:

  1. The information that allowed the criminals access was obtained from an outside source
  2. The crime was very sophisticated
  3. Access to “Get Transcript” is only obtained through a multi-layer authentication process
  4. The matter is under review by TIGTA and IRS’ Criminal Investigation division (CI)
  5. IRS main computer systems were not affected & remain secure
  6. Although there were 100,000 successful data breach attempts, there were another 100,000 that were unsuccessful
  7. All 200,000 affected taxpayer accounts will get letters from the IRS explaining what has happened
  8. IRS is offering free credit monitoring to those whose accounts were successfully accessed
  9. “Get Transcript” application has been shut down temporarily

And then there was the obligatory and generic “make-them-feel-good” statement:

[T]he IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.

I totally understand the need to keep the comments positive in this kind of situation.  Any corporation would do the same sort of damage control in the form of some similar carefully worded, lawyer-drafted statement.  We definitely don’t want panic spreading across the nation in response to something like this.  But we are not stupid either.  If this data breach were really as benign as they want us to believe then why did they take the application down?  As much as the IRS has tried to deflect the blame for the data breach, I think they know that there are ways to tighten up security.  Nothing spells this out more clearly than the fact that the IRS immediately deactivated the application to fix it and make it more secure.

IRS Employee Breaks Protocol and it's Still Considered News

Today the IRS released a statement addressing a situation involving improper use of confidential information by an IRS employee.  One rogue employee took home an unencrypted flash drive containing “employee-related information” that dates back to 2007.  Typically this type of problem would be discovered by the Treasury Inspector General for Tax Administration (TIGTA) and released in one of their famous audit reports.  However, this particular incident was identified by the IRS which preemptively released its statement via their own “newsroom” today.

One news source cited the commissioner as saying that the incident did not involve any taxpayer information.  This would have been a humorous gaff, had he actually said this.  Humorous because even if the information that was put at risk belonged to former or present IRS employees, wouldn’t it also be taxpayer information?  The last time I checked, IRS employees have to pay taxes too.  But I think this was a bad job of paraphrasing.  Put back into context, the statement reads a little differently.  According to the prepared statement, the information “included IRS employee-related information and not general taxpayer information or records.”  Even though the difference in wording is very slight, it makes quite a difference in meaning.

According to the statement, this was an “isolated instance,” and inappropriate use of this information “could not occur in today’s environment.”  Mmm-Hmmm…