The Other IRS Scandal-Socializing Social Security Numbers

By Peter Bernstein July 10, 2013

There has always been a suspicion here in the United States that the Internal Revenue Service (IRS) in many ways is the poster child for “The Gang that Couldn’t Shoot Straight!” And, just when it seemed that the agency might be going under the radar from the revelation that it had seemingly favored questioning the non-profit status of political groups known as 527s of only one political persuasion, the National Journal has come out with a story that the IRS committed what could be an equally problematic bureaucratic blunder by unwittingly exposing social security numbers. 

In fact, according to a recent audit by the independent transparency and public-domain group, literally "tens of thousands" of social security numbers of members of the aforementioned 527s were on the Internet for about 24 hours after being discovered. Talk about pouring fuel on the fire.

The article goes into the forensic investigation done by’s founder Carl Malamud, which led to his discovery and notification to the IRS of the data breach. It involved evaluation of tax form information called T-990s and the 527 database, which in the name of transparency the IRS routinely shares with the public. Let’s just say it is discouraging to see the carelessness the IRS exercised in both exposing the sensitive information contained and its tardiness in taking some of it out of public view. It reads like a bad movie plot, although in the movies it would be clear that there was some evil force involved rather than an organizational screw-up. 

Image via Shutterstock

The IRS, in responding to the article, said it is, "Assessing the situation and exploring available options… When we were alerted last week that a substantial number of social security numbers were posted on in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public Web access to the records…The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations. The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including social security numbers, in their public filings."

In short, this seems like a case of blaming the victim. 

In commenting on this, Dave Anderson, a senior director with the data-centric security specialist with Voltage Security, stated that, “The problem with modern IT systems is that data can be replicated, shared and moved across multiple systems, quite literally, at the touch of a button.  This requires data to be protected across its entire lifecycle, not only when it is stored away.”

He added, “The takeaway for me is that this saga highlights the need to obfuscate, or de-identify, the sensitive information in your organization, wherever it is stored and however it is used and moved. The problem with multi-dimensional data – especially spreadsheet or SQL database files – is that it is very difficult to understand which elements contain private data. For this reason, encryption and tokenization of all data becomes a driving imperative.”

The highlight of this saga for me is that assuming things are secure, especially such things as truly sensitive data like social security numbers even in the hands of an agency that should be hyper-sensitive about its protection, is an assumption needs to be constantly tested. In this case, it was a watchdog organization that caught the problem before it really exploded. However, the Anderson comments as they pertain particularly to enterprise IT organizations need careful consideration. 

The Anderson focus was on encryption, but reality is security is also about taking a holistic view that involves mitigating risks involving not just the integrity of the data itself, but also the people that handle it, how it is accessed and by whom, how it is disseminated and to whom, along with the policies and rules and enforcement procedures and technology used to assure such things are less likely to happen in the future. In that sense, maybe the IRS acting as a poster child for bad practices, is not such a bad thing.

Edited by Rachel Ramsey
Related Articles

Microsoft Introduces the Surface Book, Newest Surface Pro and Lumia Models

By: Joe Rizzo    10/6/2015

Microsoft revamped their lineup at this morning's NYC demonstration, with a clear challenge to Apple. Here are the most notable additions to the Micro…

Read More

Parks Associates Study Sheds Light on SMD Viewing Habits

By: Kyle Piscioniere    10/6/2015

Recent Parks Associates research has determined that U.S households with a streaming media device (Roku, Apple TV, Chromecast, etc.) consume four more…

Read More

Dorsey Named Twitter CEO a Second Time

By: Christopher Mohr    10/6/2015

Twitter announced recently that Jack Dorsey, who had been serving as the company's interim CEO the past three months, will continue in the same role o…

Read More

Who Will Save Sprint?

By: Doug Mohney    10/5/2015

Sprint has been on the skids for a while, a long slow decline due to a combination of bad decisions. Currently owned by SoftBank, it's an open questio…

Read More

Amazon Pulls Apple TV, Google Chromecast from its Store

By: Kyle Piscioniere    10/2/2015

The move is a blow to all three companies; Apple and Google lose the retail giant's highly visible sales platform, while Amazon loses the valuable ins…

Read More