Initial Estimates from May Data Breach were Low

Posted by Wetenkamp on August 20, 2015 with 0 Comment

It seems there was good reason for downplaying May’s security breach in the IRS “Get Transcript” application. It really was quite a bit worse than they had described it back in May. The breach was first described as unauthorized access into 100,000 tax accounts, and that number has recently been amended to 334,000. We were also told that international thieves started tampering with the site in February 2015, but now the IRS says it was actually November 2014.

The IRS can’t get anything right. When are they going to learn to be more cautious and conservative in their official statements? I have to believe that IRS press releases are reviewed by their tax attorneys, or somebody with good judgment and a strong command of the English language. How difficult would it have been to state that the preliminary figures suggest there were 100,000 but this number could increase (or even is likely to increase) pending further investigation. I, for one, would not consider that to be wishy washy in any way. It may be frustrating to some; we want to know all the facts the moment the story breaks. But it is more honest and credible to state only as much as can be confirmed and it is rarely a bad thing to admit when things are not yet known. Maybe that’s the IRS’ biggest problem. As an agency, they have suffered so much by way of public scorn, and their competence has been called into question so many times that they feel the pressure to have all the answers at times when having all the answers would be impossible.

Sometimes the problem with the IRS has less to do with the way they actually handle issues and more to do with the way they inform the public.

IRS Makes Plans with Private Sector to Curb Future Cyber Attacks

Posted by Wetenkamp on June 12, 2015 with 0 Comment

John Koskinen, Commissioner of the IRS, announced yesterday in a press conference that his agency is making plans to join forces with states and the entire private tax industry to combat cyber tax criminals like the ones who recently accessed taxpayer data through the “Get Transcript” application of the IRS website. It’s the whole “it takes a village” concept applied to the ongoing battle to protect sensitive information on the internet. Government and industry plan to share information in ways they have never done before.

As a tax relief attorney, I don’t know a lot about computers and information technology. If the top level guys at the IRS are IT ninjas, I’m probably a yellow belt noodle maker. But commingling of IRS and private sector data makes me nervous, if that’s what they’re talking about doing. I understand the desire to cooperate on this monumental task of stopping international cyber-criminal syndicates, but I feel like a little separation between public and private sector computer systems is healthy. It seems to my naive mind that the more connected they are, in the event of a large-scale hack, the more likely we all go down together.

Here are a few nice words from Koskinen’s press conference:

[A]ny organization in the public or private sectors with IT systems and sensitive data faces a battle that seems to grow every day. The nation’s tax system is no different….No single organization can go it alone….None of us has a silver bullet to defeat this enemy….Working together we can achieve results that none of us, working alone, could accomplish.

Such an American thing to do, don’t you think? Everyone joining forces and working together to defeat a common enemy and prevent a crisis. I hope this is a step in the right direction and not just the IRS telling us what we want to hear. The upside to all this for the IRS is that the next time their systems are compromised, maybe they can share the blame with businesses and states.

IRS Downplays Latest Data Breach

Posted by Wetenkamp on May 27, 2015 with 0 Comment

The IRS recently announced the unauthorized access into 100,000 tax accounts by cyber-criminals through the “Get Transcript” application on the IRS website. Virtually every word in Commissioner Koskinen’s statement is calculated to either downplay the seriousness of the breach, deflect the blame, or put a Band-Aid on it, almost to the point that it causes increased suspicion. It’s like when someone begins a statement with the words, “to be honest,” and you can’t help but wonder if they really are. I will list everything the Commissioner said that could be taken that way and, of course, let you read between the lines:

The information that allowed the criminals access was obtained from an outside source
The crime was very sophisticated
Access to “Get Transcript” is only obtained through a multi-layer authentication process
The matter is under review by TIGTA and IRS’ Criminal Investigation division (CI)
IRS main computer systems were not affected & remain secure
Although there were 100,000 successful data breach attempts, there were another 100,000 that were unsuccessful
All 200,000 affected taxpayer accounts will get letters from the IRS explaining what has happened
IRS is offering free credit monitoring to those whose accounts were successfully accessed
“Get Transcript” application has been shut down temporarily

And then there was the obligatory and generic “make-them-feel-good” statement:

[T]he IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.

I totally understand the need to keep the comments positive in this kind of situation. Any corporation would do the same sort of damage control in the form of some similar carefully worded, lawyer-drafted statement. We definitely don’t want panic spreading across the nation in response to something like this. But we are not stupid either. If this data breach were really as benign as they want us to believe then why did they take the application down? As much as the IRS has tried to deflect the blame for the data breach, I think they know that there are ways to tighten up security. Nothing spells this out more clearly than the fact that the IRS immediately deactivated the application to fix it and make it more secure.

IRS Employee Breaks Protocol and it's Still Considered News

Posted by Wetenkamp on March 18, 2014 with 0 Comment

Today the IRS released a statement addressing a situation involving improper use of confidential information by an IRS employee. One rogue employee took home an unencrypted flash drive containing “employee-related information” that dates back to 2007. Typically this type of problem would be discovered by the Treasury Inspector General for Tax Administration (TIGTA) and released in one of their famous audit reports. However, this particular incident was identified by the IRS which preemptively released its statement via their own “newsroom” today.

One news source cited the commissioner as saying that the incident did not involve any taxpayer information. This would have been a humorous gaff, had he actually said this. Humorous because even if the information that was put at risk belonged to former or present IRS employees, wouldn’t it also be taxpayer information? The last time I checked, IRS employees have to pay taxes too. But I think this was a bad job of paraphrasing. Put back into context, the statement reads a little differently. According to the prepared statement, the information “included IRS employee-related information and not general taxpayer information or records.” Even though the difference in wording is very slight, it makes quite a difference in meaning.

According to the statement, this was an “isolated instance,” and inappropriate use of this information “could not occur in today’s environment.” Mmm-Hmmm…

Tag: security