IRS Data Breach Demonstrates the Risk of Trying to Help Taxpayers

By Wayne Rash  |  Posted 2015-08-18 Print this article Print
IRS Data Breach

NEWS ANALYSIS: The Internal Revenue Service learns the dangers of using the Internet to try to make things a bit easier for taxpayers.

Once you get that new PIN, keep track of it, but not in the same place as your other personal data. You'll need it at tax time, and if you work with a tax preparer, they'll need it too.

Regardless of whether this potential scam hits your personal or business taxes, it pays to be prepared. The IRS has a whole section on their Website just for helping people deal with identity theft. In addition, there's a one-page summary for individual taxpayers, and there's another page for protecting businesses against identity theft. The IRS provides help in the event that a data breach that potentially involves tax-related records hits your employer or your own business.

Even if you or your business aren't notified that your information was taken in the latest data breach there are still steps you can take even if you only think your information might not be secure. One of the most important is an affidavit you can fill out to request one of those security PINs that the agency is giving out to people it knows have been breached.

By now you've probably noticed that I haven't excoriated the IRS for shoddy security practices, lax management of personal information or even carelessness. There are a couple of reasons for this. The first is that considering the trove of personal data the agency holds, the fact that the scammers only reached a tiny percent means that the IRS must be doing a lot right.

Considering that the hackers, even when armed with detailed information from tax accounts, could only manage to get tax return information from fewer than half, says that the verification security the IRS is using must be working pretty well.

Still, the IRS did get breached, but they found it in a relatively short time and then shut down the offending system immediately. While no breach is acceptable, the difference between what happened at the IRS and other federal agencies (the Office of Personnel Management for example) is remarkable. This even is likely a good case study of how it was possible to breach the fairly well-defended network of a public-facing site filled with sensitive information.

But of course there is more to be done. The secure PINs the IRS is issuing are effectively a type of two-factor authentication. It would be useful if the IRS could find a way to extend two-factor authentication to all or nearly all taxpayers.

Even something comparatively simple such as sending a random confirmation number to a taxpayer's cell phone, much like Apple and Microsoft do when verifying identity, would go a long way to preventing successful breaches.

But right now, it's best to look at the IRS breach as being thankful everything worked as well as it did, and that more information wasn't taken. The IRS security may not be perfect, but it sure seems to be far better than other agencies, such as OPM, the White House or the Department of State.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel