Another data breach to a government site

100k Tax returns and ss# stolen.

http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html?_r=0

Find more posts tagged with

Comments

I'm not sure I'd classify this one as a breach but more so as a mass impersonation. They used the system as it was intended just not as the person they were claiming to be.

TheFORCE

mackenzae wrote: »

I'm not sure I'd classify this one as a breach but more so as a mass impersonation. They used the system as it was intended just not as the person they were claiming to be.

They stole/obtained the data from other sources and they were then able to impersonate after they aggregated enough information. SS# is considered to be one of the most confidential and private information someone has. so it was most likely stolen from somewhere.

TeKniques

mackenzae wrote: »

I'm not sure I'd classify this one as a breach but more so as a mass impersonation. They used the system as it was intended just not as the person they were claiming to be.

Unauthorized access to sensitive data ...

What exactly would you classify it as?

philz1982

Yep, SS# is consider PII, so it is a breach of Confidentiality.

philz1982

Per IRS Policies:

[h=3]10.5.1.1 (05-05-2010)
Introduction to Privacy, Information Protection & Data Security (PIPDS)[/h]

Purpose. This IRM section defines the management structure, assigns responsibilities and uniform policies and guidance to be used by IRS employees and organizations to carry out their responsibilities related to privacy, information protection and data security. It provides guidance on all aspects of protecting taxpayer and employee Personally Identifiable Information (PII).
Scope. The provisions in this manual apply IRS-wide and are to be applied when PII is collected, created, transmitted, used, disseminated, processed, shared, stored or disposed of to accomplish the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors and outsourced providers who are doing business with the IRS.
Mission. The mission of the IRS is to "Provide America’s taxpayers top-quality service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairness to all." In order to fulfill this mission, it is necessary for the IRS to collect, process and maintain personal data about taxpayers, their dependents and IRS employees.
Vision. The vision of the IRS PIPDS organization is to preserve and enhance public confidence in the IRS by advocating for the protection and proper use of Personally Identifiable Information.
Implementation. The implementation of the PIPDS vision shall comply with applicable laws, policies, federal regulations, Presidential Directives, Office of Management and Budget (OMB) guidance and Department of Treasury (Treasury) guidelines, policies and directives.
Web site. Within the IRS intranet, the Office of Privacy, Information Protection & Data Security Web site provides information on all PIPDS programs at: http://PIPDS.web.irs.gov

mackenzae

TheFORCE wrote: »

They stole/obtained the data from other sources and they were then able to impersonate after they aggregated enough information. SS# is considered to be one of the most confidential and private information someone has. so it was most likely stolen from somewhere.

I don't disagree on the fact that there was a breach somewhere they stole the data to use to access the IRS data. I'm just not sure I'd blame the IRS for this one.. as the headline kind of implies.

philz1982

Well right wrong or indifferent it was the IRS system that had a compromise of authentication. Now, how could they have had a better authentication process? Could two-factor have worked? Could they have looked at addresses and matched them with the location of the IP address? Could they have detected that all of these requests came from the same geographic area or block of IP's.

We may never know..

Iristheangel

philz1982 wrote: »

Well right wrong or indifferent it was the IRS system that had a compromise of authentication. Now, how could they have had a better authentication process? Could two-factor have worked? Could they have looked at addresses and matched them with the location of the IP address? Could they have detected that all of these requests came from the same geographic area or block of IP's.

We may never know..

I don't think that would have been a very effective two-factor authentication system to base it on IP for a number of reasons. lol

philz1982

I should have separated my sentences. A two-factor authentication would have been separate from a IDS/IPS policy that looks at unusual amounts of requests from a geo or block of IP's. Totally separate strategies.

Iristheangel

philz1982 wrote: »

I should have separated my sentences. A two-factor authentication would have been separate from a IDS/IPS policy that looks at unusual amounts of requests from a geo or block of IP's. Totally separate strategies.

Unless they're spreading it out with various proxies and then geolocation isn't as useful anymore

Some IRS systems do have two-factor authentication. I.e. in order to get onto the IRS payment system (https://www.eftps.gov/eftps/), they mailed me a PIN number awhile ago. But that's not to say anyone can't just set up mail forwarding and get that PIN anyways. We could issue tokens, cards, make it a physical transaction, etc but then ease of use, cost, and reality go out the window.

There always "more" that any company can do to become more secure but ultimately, they have to strike a balance between security and the availability to their clients/customers/citizens. In this case, the attackers already had their victims social security numbers, birth dates, addresses, etc. I think most financial institutions, utility companies, etc would have freely given them information based on that identifying information. At that point, the attackers had enough information to apply for credit in those people's names, change the address on their financial institutions records, get new credit/debit cards sent to them, etc.

TheFORCE

I read some more articles about this breach, apparently the IRS has a long history of not implementing security controls time and time again. According to the article below, various audits were conducts going back many years and nothing was done to close the audit points.
Audits and reports warned of IRS computer safety risks

philz1982

Does this suprise anyone this is the same Federal government that couldn't implement a basic website.

kiki162

@phil - haha nooooo. I'm sure that they will release the details at some point, question is will the IRS do anything about it.