data breach

It seems there was good reason for downplaying May’s security breach in the IRS “Get Transcript” application. It really was quite a bit worse than they had described it back in May. The breach was first described as unauthorized access into 100,000 tax accounts, and that number has recently been amended to 334,000. We were also told that international thieves started tampering with the site in February 2015, but now the IRS says it was actually November 2014.

The IRS can’t get anything right. When are they going to learn to be more cautious and conservative in their official statements? I have to believe that IRS press releases are reviewed by their tax attorneys, or somebody with good judgment and a strong command of the English language. How difficult would it have been to state that the preliminary figures suggest there were 100,000 but this number could increase (or even is likely to increase) pending further investigation. I, for one, would not consider that to be wishy washy in any way. It may be frustrating to some; we want to know all the facts the moment the story breaks. But it is more honest and credible to state only as much as can be confirmed and it is rarely a bad thing to admit when things are not yet known. Maybe that’s the IRS’ biggest problem. As an agency, they have suffered so much by way of public scorn, and their competence has been called into question so many times that they feel the pressure to have all the answers at times when having all the answers would be impossible.

Sometimes the problem with the IRS has less to do with the way they actually handle issues and more to do with the way they inform the public.

The IRS recently announced the unauthorized access into 100,000 tax accounts by cyber-criminals through the “Get Transcript” application on the IRS website. Virtually every word in Commissioner Koskinen’s statement is calculated to either downplay the seriousness of the breach, deflect the blame, or put a Band-Aid on it, almost to the point that it causes increased suspicion. It’s like when someone begins a statement with the words, “to be honest,” and you can’t help but wonder if they really are. I will list everything the Commissioner said that could be taken that way and, of course, let you read between the lines:

The information that allowed the criminals access was obtained from an outside source
The crime was very sophisticated
Access to “Get Transcript” is only obtained through a multi-layer authentication process
The matter is under review by TIGTA and IRS’ Criminal Investigation division (CI)
IRS main computer systems were not affected & remain secure
Although there were 100,000 successful data breach attempts, there were another 100,000 that were unsuccessful
All 200,000 affected taxpayer accounts will get letters from the IRS explaining what has happened
IRS is offering free credit monitoring to those whose accounts were successfully accessed
“Get Transcript” application has been shut down temporarily

And then there was the obligatory and generic “make-them-feel-good” statement:

[T]he IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.

I totally understand the need to keep the comments positive in this kind of situation. Any corporation would do the same sort of damage control in the form of some similar carefully worded, lawyer-drafted statement. We definitely don’t want panic spreading across the nation in response to something like this. But we are not stupid either. If this data breach were really as benign as they want us to believe then why did they take the application down? As much as the IRS has tried to deflect the blame for the data breach, I think they know that there are ways to tighten up security. Nothing spells this out more clearly than the fact that the IRS immediately deactivated the application to fix it and make it more secure.

Tag: data breach

Initial Estimates from May Data Breach were Low

IRS Downplays Latest Data Breach