Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

IRS Data Security Still a Concern

Posted by Soulskill on Saturday December 22, @11:22AM
from the your-tax-dollars-at-work dept.
Security Privacy
Lucas123 writes "Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK's recent mishap. According to one World Bank executive, it could have already happened, 'and we don't know about it.' While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury's progress in that arena is dubious. [PDF]"

Related Stories

[+] IRS Freely Gives Out Employee User Name/Password Info 146 comments
An anonymous reader writes "The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS's 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. 'Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller ... The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.'"
[+] UK Government Loses 15 Million Private Records 339 comments
bestweasel writes "The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation 'was accepted because discs had been transported in breach of rules governing data protection' so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT. A similar leak of a 'mere' 15,000 records from the same department happened a month or so ago. At that time, they refused to say 'on security grounds' whether the information was encrypted." We just recently talked about Britain's consideration of legal penalties for situations like this. I imagine this incident will weigh on that decision.
Firehose:What if the US gov't lost data as the UK did? by Lucas123 (935744)
IRS Data Security Still a Concern | Log In/Create an Account | Top | 54 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • Ron Paul... (Score:2, Interesting)

    by GradiusCVK (1017360) <originalcvk.gmail@com> on Saturday December 22, @11:32AM (#21791262)
    Seems like the best way to solve this problem would be to remove any and all possible chance that the IRS might mishandle our data...

  • Why take data out of office? (Score:5, Insightful)

    by rueger (210566) on Saturday December 22, @11:39AM (#21791326) Homepage
    ...more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices.

    It seems to me that most of the data breaches from large corporations and government come from just this - employees taking data files out of the office and losing them. Why of why don't employers simply insist that data stays on the premises? Surely keeping data in a secure physical location is the first step to safeguarding it.

    • Re:Why take data out of office? (Score:5, Insightful)

      by dbIII (701233) on Saturday December 22, @12:16PM (#21791576)
      In my case I had to take things as far as two members of the board to stop an accountant taking the laptop with the only functioning copy of the application that handles most of the financial information on holiday to Bahrain of all places (at the start of the recent Iraq war). People really think these things are their own personal possessions and are convinced that they will not be stolen even if they leave it unattended on a beach in another country.

      • Traveling laptop your #5 problem ... (Score:5, Insightful)

        by AHumbleOpinion (546848) on Saturday December 22, @12:26PM (#21791646) Homepage
        In my case I had to take things as far as two members of the board to stop an accountant taking the laptop with the only functioning copy of the application that handles most of the financial information on holiday

        I hope your board members recognized the four more important problems as well. Your top five problems:
        (1) Management allowed (2), (3), (4), and (5).
        (2) The accountant allowed (3) and (5).
        (3) You have one and only one system capable of running a critical application.
        (4) This critical application is not being run on enterprise grade hardware.
        (5) The accountant wanted to take the system on holiday.

        If your board only addressed the laptop/holiday add:
        (0) Board allowed (1), (2), (3), (4), or (5) as appropriate.
      • Re:Why take data out of office? by N1EY (Score:1) Saturday December 22, @04:56PM
    • Re:Why take data out of office? by wizardforce (Score:2) Saturday December 22, @12:27PM
    • Re:Why take data out of office? by Kevinv (Score:2) Saturday December 22, @01:23PM
    • Re:Why take data out of office? by N1EY (Score:1) Saturday December 22, @05:00PM

  • Maybe a white hat will break into IRS ... (Score:2)

    by AHumbleOpinion (546848) on Saturday December 22, @12:02PM (#21791472) Homepage
    Maybe a white hat will break into the IRS and encrypt all the files for them. Hope he doesn't lose the key before he anonymously mails it to them. :-)

  • Direct deposit (Score:1, Insightful)

    by whois_drek (829212) on Saturday December 22, @12:27PM (#21791654)

    an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds
    How could this happen? If I remember my last tax form correctly, I just put my account number and bank routing number on it. Getting this information doesn't allow an attacker to withdraw any money. Perhaps it gets them one step closer, but it's a small step.
    • Re:Direct deposit by moreati (Score:2) Saturday December 22, @12:43PM

    • Re:Direct deposit (Score:4, Interesting)

      by Clomer (644284) on Saturday December 22, @01:23PM (#21792000)
      I used to work for a check printing company, and I can tell you that the most common type of check fraud is where someone orders checks with someone else's routing and account information. If you have a person's income tax statement complete with name, address, and bank account information, then you have all you need to order fraudulent checks. Heck, you could even have your name printed on them, but have the fraudulent account number info on the checks. You'd be surprised how easy it would be to cash such a check.

      Not that I would recommend it: we, at the check company, were taught certain red flags, things to watch for that may indicate a fraudulent order (and a good CSR won't let it on that they suspect you), and I won't go into those details here. And the penalties are pretty stiff if you are caught.

  • The devil is in the e-file (Score:4, Insightful)

    by Anonymous Coward on Saturday December 22, @12:27PM (#21791658)
    The biggest risk is not the IRS itself, but rather the e-file cabal of the IRS plus the companies that process and reformat your data for submission to the IRS. For instance, the TurboTax privacy statement [intuit.com] and full text [intuit.com] both promise certain steps, but there are gaping holes. Intuit keeps a copy of an e-filed return for at least three years, yet does not promise that the storage is encrypted. Data transmission from you to Intuit is encrypted (via 128-bit SSL), but some returns sent from Intuit to various agencies are NOT encrypted during transmission. Intuit claims that other companies providing services to Intuit may not use your data, but that does not prevent a breach if some employee does not follow the rules.

    And of course any subpoena, court order, or National Security Letter presented to Intuit has full access to all your data, including aggregation (database "join" on SSN, phone, address, etc.) with various data brokers who market their services aggressively to Department of Homeland Security, etc. With the IRS itself you have some protection; with the e-file cabal you nave none.

  • What happens? (Score:3, Insightful)

    by madsheep (984404) on Saturday December 22, @12:42PM (#21791752) Homepage

    Forget the U.K.: What happens here if the IRS loses our data?
    Hmm, I don't know, not a whole lot? Just using the number of publicly reported data breaches and privacy information losses, I would just work on the assumption someone has this data already. It's not like there aren't dozens of websites where someone can pay $15 and get all this same information anyway. What's the best you can really hope for? That they give you a free year of credit monitoring? Maybe they'll fire someone or penalize them? Who knows.. I just say work under the assumption someone has this data already. What are you doing right now to protect yourself?
    • 1 reply beneath your current threshold.

  • Banking Data? - Already on Checks (Score:3, Insightful)

    by kwpulliam (691406) <kevin.pulliam@NosPam.gmail.com> on Saturday December 22, @12:44PM (#21791762) Homepage Journal
    How exactly will 46% of filers banking information be comprimised? -

    From TFA "That translates to a lot of personal and banking details maintained by the IRS." - Those banking details are the same ones you hand out every time you write a check.

    The information included on the return for direct deposit is 'exactly' the same information printed on the front of a check in human readable format.

    If ANY of those households paid with a check to any retail establishment (where the clerk probably makes less than $10.00 an hour) then they have already released this information themselves.

    I understand data security and the problems of taking confidential data out of the workplace, but the banking details portion of this story needs to be taken with several grains of salt.

    Just because you have a banks routing number and a checking account number, this does not mean you can turn that into cash at an ATM.

  • Ask any 5 IRS employees... (Score:4, Insightful)

    by innerweb (721995) on Saturday December 22, @12:46PM (#21791772)

    A question and you are likely to get 10 different answers that may or may not be correct.

    How the IRS is allowed to operate the way it does is beyond me. How the tax laws are allowed to remain so confusing and frustrating is beyond me. But, obviously it is not cost effective to those that matter to fix it.

    If the tax laws were cleaned up, then maybe IRS employees might be able to handle many more individuals per specialist. If the tax laws were cleaned up, then maybe the IRS would be able to do all of its work at work. Just maybe.

    InnerWeb

  • Scare Reporting (Score:5, Interesting)

    by Grech (106925) on Saturday December 22, @01:23PM (#21791996) Homepage

    Full Disclosure: I work for the IRS, and have a business need to take OUO or SBU data outside of the campus where I work from time to time.

    Glossary:

    • OUO: [O]fficial [U]se [O]nly.- This is a class of information
    • SBU: [S]ensitive [B]ut [U]nclassified This is the category into which all identifiable taxpayer data falls, and falls under the protection of IRC 6103 (with consequences defined in IRC 1203)

    The article here is pure scaremongering, though it does at least touch on some of the procedures the Service used to secure taxpayer data. The article makes the following points.

    1. The IRS has lots of sensitive data
    2. If individual people tasked with protecting sensitive information do stupid things, it will defeat any security measure.

    When a laptop is issued, it gets whole disk encryption that can't be turned off by the user. Similarly, when the IRS issues other portable devices, they get the same. The rule, of course, is that you don''t hook up anything the IRS doesn't own to anything it does, so personal thumb drives and home networks should not be an issue, and we make the point every time we issue hardware. Similarly, the article talks about unencrypted drives on Campus machinery, but if someone has penetrated the physical security of the Campus and actually swipes one of these hard drives, things have already gone horribly wrong.

    If the IRS lost a great whacking load of SBU data, of course it would be a disaster, this is nothing new, and is obvious. The article makes it seem like it's inevitable or in immediate danger of happening, and this just isn't true.

  • IRS far more frightening than IRS data leaks (Score:2)

    by MSTCrow5429 (642744) on Saturday December 22, @04:28PM (#21793176)
    I'm more terrified of the IRS, not that it will lose data on me. The IRS ruins peoples lives for fun, and the employees are sociopathic or amoral.

  • Yeah, well ... (Score:2)

    by ScrewMaster (602015) on Saturday December 22, @07:52PM (#21794240)
    IRS Data Security Still a Concern

    The IRS' data store is always a concern, whether they lose track of it or not.

  • Re:Computer license (Score:2)

    by AHumbleOpinion (546848) on Saturday December 22, @12:29PM (#21791674) Homepage
    Because we don't allow people, who don't follow certain rules and don't have a basic understanding of what a car can or can't do drive. Why don't we apply that rule to a piece of technology that surpasses the sophistication of a car by a hundred years of technological advancement ?

    Because computers don't kill. Well consumer stuff, at least not yet.
  • 7 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.