IRS Data Security Still a Concern 54
Lucas123 writes "Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK's recent mishap. According to one World Bank executive, it could have already happened, 'and we don't know about it.' While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury's progress in that arena is dubious. [PDF]"
Scare Reporting (Score:5, Informative)
Full Disclosure: I work for the IRS, and have a business need to take OUO or SBU data outside of the campus where I work from time to time.
Glossary:
The article here is pure scaremongering, though it does at least touch on some of the procedures the Service used to secure taxpayer data. The article makes the following points.
When a laptop is issued, it gets whole disk encryption that can't be turned off by the user. Similarly, when the IRS issues other portable devices, they get the same. The rule, of course, is that you don''t hook up anything the IRS doesn't own to anything it does, so personal thumb drives and home networks should not be an issue, and we make the point every time we issue hardware. Similarly, the article talks about unencrypted drives on Campus machinery, but if someone has penetrated the physical security of the Campus and actually swipes one of these hard drives, things have already gone horribly wrong.
If the IRS lost a great whacking load of SBU data, of course it would be a disaster, this is nothing new, and is obvious. The article makes it seem like it's inevitable or in immediate danger of happening, and this just isn't true.
Re:Direct deposit (Score:1, Informative)
Many merchants who accept paper checks turn them into "electronic checks" which debit your checking account directly at the next clearing session (usually 10pm to 5am). The account number and the amount are the only two required pieces of information, but who receives the money is well known. This is the mechanism used by automated payment for utility bills, subscriptions, etc.
Re:Direct deposit (Score:4, Informative)
An ACH transaction != financial identity. If I have that information about you and have access to the payment system, I can fraudulently send out ACH items and hope to collect enough to make it worthwhile before I'm shut down. This information, however, does not allow me to open a loan or credit account in your name. It sucks, but it's not identity theft.
I'm sure that the UK does also have some sort of an electronic transaction system, but I've got no idea about what it is and how it works. You guys have a different style of banking than we do in the US. We have a few major, major players, but also a very large number of small "community banks" and credit unions. The ACH network in the United States was set up as a clearinghouse to basically send transactions to a large number of different banks. If I understand things correctly, the UK doesn't have the smaller financial institutions like we do, so the electronic transaction systems may work differently there (to say nothing of the regulations defining how they work!).