Security experts were not surprised about the disclosure of the IRS breach, which they say raises questions about the tax agency's incident response.
The latest data breach victim is the U.S. Internal Revenue Service, which disclosed May 26 that information on 100,000 American taxpayers is at risk.
The IRS reported that the breach came by way of its Get Transcript
application, which is currently unavailable. The Get Transcript service enables taxpayers to obtain a statement of their tax account transactions, including line-by-line tax return information as well as income reported to the IRS for a given tax year.
According to the IRS, hackers were able to make use of data from non-IRS sources to gain access to the Get Transcript application.
"In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," the IRS stated. "The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."
While the IRS is admitting that 100,000 taxpayer accounts were breached, the damage could have been worse. The IRS investigation of the incident found that attackers made 200,000 attempts to access accounts. The attack against the Get Transcript application is now thought to have started in February and was operational until mid-May, according to the IRS. According to the IRS, its other systems were not breached.
Security experts eWEEK
spoke with were not surprised about the disclosure but said it raises questions about the tax agency's response to the incident.
While the IRS disclosure wasn't surprising, said Andre Ludwig, senior technical director of Novetta
, the amount of time it took to inform the public about this particular invasion is surprising and worrisome. "It appears the IRS was aware of the problem for a prolonged amount of time, and decision timelines involved post-detection were alarming in bringing down the responsible system," Ludwig told eWEEK
. "Response may have been delayed due to IRS staff's inability to mitigate risk directly without leadership and external support."
Delayed decision cycles should be measured in days to weeks—not months—in an organization where security leadership has the authority to directly mitigate risk for the organization, Ludwig said.
Rob Ragan, senior security associate at Bishop Fox
agreed with the notion that the IRS response time is not as quick as it should be. The IRS and organizations that handle large sums of money should constantly re-evaluate and improve their incident-response and fraud-detection capabilities, he said.
"The fact that it went unnoticed for so long has revealed shortcomings in their fraud-detection capabilities, and their inability to close the gaps right away is indicative of an insufficient incident-response plan," Ragan said.
Ludwig said security organizations should be treated as first-class citizens alongside their business or policy brethren. Security organizations should be empowered to directly mitigate risk for organizations to protect them and their customers and help shrink the cycle of detection, analysis, communication and action, Ludwig said.
"One cannot simply rely on technical savvy; we need to enable security leadership to execute against identified risks to an organization," he said.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.