The Other IRS Scandal-Socializing Social Security Numbers

By Peter Bernstein July 10, 2013

There has always been a suspicion here in the United States that the Internal Revenue Service (IRS) in many ways is the poster child for “The Gang that Couldn’t Shoot Straight!” And, just when it seemed that the agency might be going under the radar from the revelation that it had seemingly favored questioning the non-profit status of political groups known as 527s of only one political persuasion, the National Journal has come out with a story that the IRS committed what could be an equally problematic bureaucratic blunder by unwittingly exposing social security numbers. 

In fact, according to a recent audit by the independent transparency and public-domain group Public.Resource.org, literally "tens of thousands" of social security numbers of members of the aforementioned 527s were on the Internet for about 24 hours after being discovered. Talk about pouring fuel on the fire.

The article goes into the forensic investigation done by Public.Resource.org’s founder Carl Malamud, which led to his discovery and notification to the IRS of the data breach. It involved evaluation of tax form information called T-990s and the 527 database, which in the name of transparency the IRS routinely shares with the public. Let’s just say it is discouraging to see the carelessness the IRS exercised in both exposing the sensitive information contained and its tardiness in taking some of it out of public view. It reads like a bad movie plot, although in the movies it would be clear that there was some evil force involved rather than an organizational screw-up. 

Image via Shutterstock

The IRS, in responding to the article, said it is, "Assessing the situation and exploring available options… When we were alerted last week that a substantial number of social security numbers were posted on IRS.gov in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public Web access to the records…The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations. The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including social security numbers, in their public filings."

In short, this seems like a case of blaming the victim. 

In commenting on this, Dave Anderson, a senior director with the data-centric security specialist with Voltage Security, stated that, “The problem with modern IT systems is that data can be replicated, shared and moved across multiple systems, quite literally, at the touch of a button.  This requires data to be protected across its entire lifecycle, not only when it is stored away.”

He added, “The takeaway for me is that this saga highlights the need to obfuscate, or de-identify, the sensitive information in your organization, wherever it is stored and however it is used and moved. The problem with multi-dimensional data – especially spreadsheet or SQL database files – is that it is very difficult to understand which elements contain private data. For this reason, encryption and tokenization of all data becomes a driving imperative.”

The highlight of this saga for me is that assuming things are secure, especially such things as truly sensitive data like social security numbers even in the hands of an agency that should be hyper-sensitive about its protection, is an assumption needs to be constantly tested. In this case, it was a watchdog organization that caught the problem before it really exploded. However, the Anderson comments as they pertain particularly to enterprise IT organizations need careful consideration. 

The Anderson focus was on encryption, but reality is security is also about taking a holistic view that involves mitigating risks involving not just the integrity of the data itself, but also the people that handle it, how it is accessed and by whom, how it is disseminated and to whom, along with the policies and rules and enforcement procedures and technology used to assure such things are less likely to happen in the future. In that sense, maybe the IRS acting as a poster child for bad practices, is not such a bad thing.




Edited by Rachel Ramsey
SHARE THIS ARTICLE
Related Articles

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More

After Cisco/Broadsoft, Who's Next for M&A?

By: Doug Mohney    10/27/2017

Cisco's trail of acquisition tears over the decades includes the Flip video camera, Cerent, Scientific Atlantic, Linksys, and a couple of others. The …

Read More