Slashdot Mirror
IRS Data Security Still a Concern
Lucas123 writes "Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK's recent mishap. According to one World Bank executive, it could have already happened, 'and we don't know about it.' While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury's progress in that arena is dubious. [PDF]"
Seems like the best way to solve this problem would be to remove any and all possible chance that the IRS might mishandle our data...
...more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices.
It seems to me that most of the data breaches from large corporations and government come from just this - employees taking data files out of the office and losing them. Why of why don't employers simply insist that data stays on the premises? Surely keeping data in a secure physical location is the first step to safeguarding it.
Three Squirrels
Maybe a white hat will break into the IRS and encrypt all the files for them. Hope he doesn't lose the key before he anonymously mails it to them. :-)
Because we don't allow people, who don't follow certain rules and don't have a basic understanding of what a car can or can't do drive. Why don't we apply that rule to a piece of technology that surpasses the sophistication of a car by a hundred years of technological advancement ?
In my case I had to take things as far as two members of the board to stop an accountant taking the laptop with the only functioning copy of the application that handles most of the financial information on holiday
I hope your board members recognized the four more important problems as well. Your top five problems:
(1) Management allowed (2), (3), (4), and (5).
(2) The accountant allowed (3) and (5).
(3) You have one and only one system capable of running a critical application.
(4) This critical application is not being run on enterprise grade hardware.
(5) The accountant wanted to take the system on holiday.
If your board only addressed the laptop/holiday add:
(0) Board allowed (1), (2), (3), (4), or (5) as appropriate.
And of course any subpoena, court order, or National Security Letter presented to Intuit has full access to all your data, including aggregation (database "join" on SSN, phone, address, etc.) with various data brokers who market their services aggressively to Department of Homeland Security, etc. With the IRS itself you have some protection; with the e-file cabal you nave none.
Put all the data on a server.
Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
How exactly will 46% of filers banking information be comprimised? -
From TFA "That translates to a lot of personal and banking details maintained by the IRS." - Those banking details are the same ones you hand out every time you write a check.
The information included on the return for direct deposit is 'exactly' the same information printed on the front of a check in human readable format.
If ANY of those households paid with a check to any retail establishment (where the clerk probably makes less than $10.00 an hour) then they have already released this information themselves.
I understand data security and the problems of taking confidential data out of the workplace, but the banking details portion of this story needs to be taken with several grains of salt.
Just because you have a banks routing number and a checking account number, this does not mean you can turn that into cash at an ATM.
A question and you are likely to get 10 different answers that may or may not be correct.
How the IRS is allowed to operate the way it does is beyond me. How the tax laws are allowed to remain so confusing and frustrating is beyond me. But, obviously it is not cost effective to those that matter to fix it.
If the tax laws were cleaned up, then maybe IRS employees might be able to handle many more individuals per specialist. If the tax laws were cleaned up, then maybe the IRS would be able to do all of its work at work. Just maybe.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
I know it makes sensational journalism to report about how catastrophic it would be to have a security problem at the IRS, but as someone in the industry (hence anonymous post), I as a taxpayer would be more worried about the security of the Electronic Return Originator, or ERO in industry terms. EROs are the persons and businesses that create electronic tax returns. This could be the taxpayer themselves, but in many cases is a small accounting company that provides the service. Picture a mom and pop sized version of H&R Block (although H&R is considered an ERO too.)
Not that these businesses don't have good intentions, its just that many of them don't realize just how vulnerable they are making their clients data. Fortunately I don't have to do end user support very often at my company, but I do get to read the reports from and talk to those at the company that do. I often hear of EROs wanting to use versions of windows that no longer have security updates. Basically these small shops that have no IT make all the same mistakes we hear of endlessly. No Firewall, no anti-virus, No Updates, Unsupported OS versions.
Its one thing for the average slashdotter to walk in take one look around and walk right back out their personal data still in hand, but many of their customers just aren't that smart. I've made all reasonable efforts to secure the parts of the system I am responsible for, but honestly there is only so much you can do to protect EROs from themselves.
Technically the IRS can site inspect EROs and Transmitters but that seems to never happen. What I am trying to point out here is that it is all well and good to talk about the security on the IRS side of things, but unless that same level of security extends to the Transmitters and EROs, its all pretty much pointless.
Note: Transmitters are entities that collect tax information from EROs and transfer that information to the IRS on behalf of the ERO. This happens because it is very difficult to get permission to connect to the IRS systems, so those that have access essentially re-sell that access. Example, You buy a software package to do your own taxes at home and then eFile your taxes. The information does not go directly from your computer to an IRS computer because you are not an authorized transmitter, instead your information goes from your computer to a computer owned by the software maker, who then sends it to the IRS on your behalf.
Full Disclosure: I work for the IRS, and have a business need to take OUO or SBU data outside of the campus where I work from time to time.
Glossary:
The article here is pure scaremongering, though it does at least touch on some of the procedures the Service used to secure taxpayer data. The article makes the following points.
When a laptop is issued, it gets whole disk encryption that can't be turned off by the user. Similarly, when the IRS issues other portable devices, they get the same. The rule, of course, is that you don''t hook up anything the IRS doesn't own to anything it does, so personal thumb drives and home networks should not be an issue, and we make the point every time we issue hardware. Similarly, the article talks about unencrypted drives on Campus machinery, but if someone has penetrated the physical security of the Campus and actually swipes one of these hard drives, things have already gone horribly wrong.
If the IRS lost a great whacking load of SBU data, of course it would be a disaster, this is nothing new, and is obvious. The article makes it seem like it's inevitable or in immediate danger of happening, and this just isn't true.
It may not be just, but it is fair, and that is more important.
poor irs
look at the selling section of viperwarez.com some irs id info is for sale there
My mother was an IRS agent until 1999. She once brought her laptop home when I was young... she was quite pleased - this was a time when laptops were not thrown around willy nilly like today. Anyways, I mentioned that couldn't someone go on the laptop and make it say they had paid their taxes (ah the mind of a seven year old) She assured me that all her coworkers and herself used secret word to keep the laptop secure. I asked her how she could remember it. "Well it's something I could never forget son - It's your name!" What was a fond childhood bonding moment now causes me a bit of concern, especially since the article seems to throw around the concept of encrytion like it's some magic bullet.
I love to see this as troll.
I mean there is no reason to not want the IRS.
Fair Tax = simplicity for many. And is hardly trollish behavior.
Ron Paul isnt the only runner who supports it either.
I'm more terrified of the IRS, not that it will lose data on me. The IRS ruins peoples lives for fun, and the employees are sociopathic or amoral.
Slashdot: Playing Favorites Since 1997
IRS Data Security Still a Concern
The IRS' data store is always a concern, whether they lose track of it or not.
The higher the technology, the sharper that two-edged sword.