IRS Indifferent to Hacking of Tax Returns of More Than 100,000 Americans
Apparently the arrogance of IRS Commissioner John Koskinen knows no bounds. Facing questions about the ease by which hackers accessed the tax returns of more than 100,000 Americans from February to mid-May, he remained unapologetic. “These are actually organized crime syndicates that not only we but everybody in the financial industry are dealing with,” he declared—before boasting about the agency’s ability to stop approximately half the attacks.
Koskinen also offered up an exercise in semantics. “This is not a hack or data breach. These are impostors pretending to be someone,” he said according to the Wall Street Journal. Technically the Commissioner is correct in that the IRS systems themselves weren’t compromised. But one suspects the efforts, now attributed to Russian hackers engaged in a sophisticated scheme to claim fraudulent tax refunds, will be scant comfort to American taxpayers waiting for those refunds. Furthermore, Americans might not have known about the source of the attack at all: two officials contacting Breitbart News “spoke on condition of anonymity because they were not authorized to publicly discuss the ongoing investigation,” the website reported.
The hackers used Social Security numbers, street addresses and other critical information obtained elsewhere to complete a multistep authorization process. It allowed them to gain access and request refunds and other filings, the IRS admitted. Before detecting the scheme, the agency sent out nearly $50 million in refunds. As a result the IRS has temporarily shut down its “Get Transcript” application that had allowed taxpayers to access their own information.
Perhaps Koskinen and company see this as an improvement. In 2013, the IRS paid out a whopping $5.8 billion in fraudulently claimed refunds.
The latest revelation is hardly surprising. At least seven federal audits, along with other reports compiled from 2007 to 2014 illuminated the security risks associated with the IRS’s computer system. These included failures in database controls, and the failure to properly screen workers with access to millions of taxpayer files, including the hiring of an ex-convict who wasn’t subjected to a background check.
Computer security has been problematic for the IRS since 1997
A Treasury Department report released last October revealed an unconscionable amount of bureaucratic inertia in that regard. “Computer security has been problematic for the IRS since 1997,” it stated. “In April 2014, the Government Accountability Office (GAO) reported that the IRS is making progress in addressing information security control weaknesses; however, the GAO noted that weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”
That reality was seconded by the Treasury Inspector for Tax Administration (TIGTA), who “also continues to identify weakness in that area.”
According to the TIGTA, standard security configurations were issued in March of 2006. A year later auditors tested the system and discovered a 30 percent failure rate, according their audit. Exploitation of those vulnerabilities “could result in unauthorized accesses to taxpayer information and ultimately result in identity theft or fraud,” it concluded. And despite IRS promises to address the weaknesses, another TIGTA audit concluded in May 2011 that it “could not determine if the weaknesses were entered, addressed, or closed.”
Subsequent TIGTA audits in 2012, 2013 and 2014 revealed a comedy of errors that included a failure to monitor 34 percent of its computers for cyber attacks and other vulnerabilities despite ostensible round-the-clock security; failure to implement 8-of-19 recommendations, despite reporting all 19 had been completed; a review of vendor contracts revealing a courier who transported sensitive IRS documents never received a background check, despite having a criminal record that included serving 21 years in prison for arson, retaliation and attempted escape; and another failure to vet a company awarded a contract to print and mail IRS tax forms that was given a CD containing the names, addresses and Social Security numbers of 1.4 million taxpayers.
In other words, gross ineptitude has been documented as standard operating procedure at the agency.
Gross ineptitude has been documented as standard operating procedure at the agency
“It is self-evident they have a problem,” said Anthony Roman, president of Roman & Associates, a global investigation and risk management firm. “A 50 percent hacking rate is beyond the reasonable bounds. The Chinese, the Russians and the Iranians have been quite successfully attempting breaches into government networks and secured classified and private information on an ongoing basis. It would appear to me, the U.S. is somewhat behind the curve with regards to computer security.”
According to Shuman Ghosemajumder, vice president of strategy at Shape Security, the IRS was subjected to a “fullz” attack driven by consumer data stolen in prior, unrelated attacks. Criminals purchase that data and use rented computer networks that run automated attacks until a user’s identity is compromised. Those attacks can often overcome encryption and security questions. Security can be upgraded, but the tradeoff put additional burdens on the end user. “There’s often a security vs. convenience tradeoff,” Ghosemajumder explained.
Again one suspects the overwhelming majority of taxpayers would be inclined to embrace such an obviously beneficial, if somewhat more time-consuming, tradeoff.
A Senate Finance Committee hearing is scheduled for June 2, during which Koskinen is expected to testify about the breach. Expect the haughtiness he demonstrated in previous hearings. Like when when he denied the IRS was “targeting” right-leaning nonprofits in a hair-splitting effort to create distance between that word and Inspector General’s use of the term “inappropriate criteria” to describe that proven effort. Or when he insisted an IRS apology wasn’t needed when he testified (read: “lied”) about Lois Lerner’s “lost” emails that were subsequently recovered. Bet the proverbial farm Koskinen blames the latest outrage on the same IRS budget cuts the agency used to justify abysmal customer service this past tax season, even as they lavished taxpayer funds on employee bonuses, expensive conferences, and executive travel.
Data theft at the IRS
“Taxpayers deserve to know what happened at the IRS regarding the data theft, and this hearing will be the first step of many that the committee takes to determine what happened and how the government can prevent such attacks from happening again,” said Sen. Orrin Hatch (R-UT). In the meantime the IRS will notify all 200,000 taxpayers whose accounts were targeted, and provide free credit monitoring for taxpayers whose accounts were breached, watching those accounts for any additional suspicious activity.
Given the IRS’s aforementioned track record, no one subjected to this breach should have the slightest confidence in that promise. It is an agency beset by corruption, incompetence and arrogance, as well as the very same bureaucratic torpor and institutional corruption afflicting the equally calamitous Veteran’s Administration more than one year after that scandal erupted. At the very least, Koskinen needs to go. An arrogant leader overseeing an agency with a vast level of power over millions of vulnerable taxpaying Americans is a toxic mix.