The IRS recently announced the unauthorized access into 100,000 tax accounts by cyber-criminals through the “Get Transcript” application on the IRS website. Virtually every word in Commissioner Koskinen’s statement is calculated to either downplay the seriousness of the breach, deflect the blame, or put a Band-Aid on it, almost to the point that it causes increased suspicion. It’s like when someone begins a statement with the words, “to be honest,” and you can’t help but wonder if they really are. I will list everything the Commissioner said that could be taken that way and, of course, let you read between the lines:
- The information that allowed the criminals access was obtained from an outside source
- The crime was very sophisticated
- Access to “Get Transcript” is only obtained through a multi-layer authentication process
- The matter is under review by TIGTA and IRS’ Criminal Investigation division (CI)
- IRS main computer systems were not affected & remain secure
- Although there were 100,000 successful data breach attempts, there were another 100,000 that were unsuccessful
- All 200,000 affected taxpayer accounts will get letters from the IRS explaining what has happened
- IRS is offering free credit monitoring to those whose accounts were successfully accessed
- “Get Transcript” application has been shut down temporarily
And then there was the obligatory and generic “make-them-feel-good” statement:
[T]he IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.
I totally understand the need to keep the comments positive in this kind of situation. Any corporation would do the same sort of damage control in the form of some similar carefully worded, lawyer-drafted statement. We definitely don’t want panic spreading across the nation in response to something like this. But we are not stupid either. If this data breach were really as benign as they want us to believe then why did they take the application down? As much as the IRS has tried to deflect the blame for the data breach, I think they know that there are ways to tighten up security. Nothing spells this out more clearly than the fact that the IRS immediately deactivated the application to fix it and make it more secure.