IRS Get Transcript Breach – The Agency Didn't Adequately Prepare

The announcement came yesterday: Chinese hackers had breached the federal government’s personnel office. In isolation, this might seem a single event. But when viewed in the grouping of several other top-level hacks, it becomes clear that the federal government is extremely vulnerable.
One clear parallel was the recent IRS Get Transcript breach, announced in late May, which is believed to trace to the Soviet Union. The information was taken from an IRS website called Get Transcript, where taxpayers can obtain previous tax returns and other tax filings. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax-filing status and street address. The IRS believes the criminals originally obtained this information from other sources. They were accessing the IRS website to get even more information about the taxpayers, which would help them claim fraudulent tax refunds in the future. Might the information in the more recent hack also provide the fuel for a future hack? Quite likely, in my opinion.
What’s especially bothersome to me is the IRS had received several warnings from GAO in 2014 and 2015. If the warnings had been implemented, there would have been less of an opportunity for the attack. The IRS failed to implement dozens of security upgrades to its computer systems, some of which could have made it more difficult for hackers to use an IRS website to steal tax information from 104,000 taxpayers.
In addition, the IRS has a comprehensive framework for its cybersecurity program, which includes risk assessment for its systems, security-plan development, and the training of employees for security awareness and other specialized topics. However, the IRS did not correctly implement aspects of its program. The IRS faces a higher statistical probability of attacks, but was unprepared. Let’s face it: The US federal government is a prime target for hackers.
The concern here, of course, is the grouping of attacks and the reality that the US government must be more prepared. I’ve managed IT systems and architecture for more than 3 decades and I’ll say this: The IRS testing methodology wasn’t capable of determining whether the required controls were in effective operation. This speaks to not only physical unpreparedness, but a general passive attitude toward these types of events and the testing protocols. The federal government doesn’t adequately protect the PII it collects on all US citizens, and simply sending a letter to those impacted by a breach is not enough to prevent recurrence in the future.
I don’t need to tell you that. The GAO told the IRS the same thing: “Until IRS takes additional steps to (1)address unresolved and newly identified control deficiencies and (2)effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.”
These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial-reporting systems prior to the IRS Get Transcript Breach.
Author Note: In my next blog on security, I’ll talk about the NIST standard for small businesses, with recommendations to prepare and protect in the wake of these high-level breaches.
(Photo by Ray Tsang)