The Other IRS Scandal-Socializing Social Security Numbers

By Peter Bernstein July 10, 2013

There has always been a suspicion here in the United States that the Internal Revenue Service (IRS) in many ways is the poster child for “The Gang that Couldn’t Shoot Straight!” And, just when it seemed that the agency might be going under the radar from the revelation that it had seemingly favored questioning the non-profit status of political groups known as 527s of only one political persuasion, the National Journal has come out with a story that the IRS committed what could be an equally problematic bureaucratic blunder by unwittingly exposing social security numbers. 

In fact, according to a recent audit by the independent transparency and public-domain group, literally "tens of thousands" of social security numbers of members of the aforementioned 527s were on the Internet for about 24 hours after being discovered. Talk about pouring fuel on the fire.

The article goes into the forensic investigation done by’s founder Carl Malamud, which led to his discovery and notification to the IRS of the data breach. It involved evaluation of tax form information called T-990s and the 527 database, which in the name of transparency the IRS routinely shares with the public. Let’s just say it is discouraging to see the carelessness the IRS exercised in both exposing the sensitive information contained and its tardiness in taking some of it out of public view. It reads like a bad movie plot, although in the movies it would be clear that there was some evil force involved rather than an organizational screw-up. 

Image via Shutterstock

The IRS, in responding to the article, said it is, "Assessing the situation and exploring available options… When we were alerted last week that a substantial number of social security numbers were posted on in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public Web access to the records…The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations. The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including social security numbers, in their public filings."

In short, this seems like a case of blaming the victim. 

In commenting on this, Dave Anderson, a senior director with the data-centric security specialist with Voltage Security, stated that, “The problem with modern IT systems is that data can be replicated, shared and moved across multiple systems, quite literally, at the touch of a button.  This requires data to be protected across its entire lifecycle, not only when it is stored away.”

He added, “The takeaway for me is that this saga highlights the need to obfuscate, or de-identify, the sensitive information in your organization, wherever it is stored and however it is used and moved. The problem with multi-dimensional data – especially spreadsheet or SQL database files – is that it is very difficult to understand which elements contain private data. For this reason, encryption and tokenization of all data becomes a driving imperative.”

The highlight of this saga for me is that assuming things are secure, especially such things as truly sensitive data like social security numbers even in the hands of an agency that should be hyper-sensitive about its protection, is an assumption needs to be constantly tested. In this case, it was a watchdog organization that caught the problem before it really exploded. However, the Anderson comments as they pertain particularly to enterprise IT organizations need careful consideration. 

The Anderson focus was on encryption, but reality is security is also about taking a holistic view that involves mitigating risks involving not just the integrity of the data itself, but also the people that handle it, how it is accessed and by whom, how it is disseminated and to whom, along with the policies and rules and enforcement procedures and technology used to assure such things are less likely to happen in the future. In that sense, maybe the IRS acting as a poster child for bad practices, is not such a bad thing.

Edited by Rachel Ramsey
Related Articles

Jeff Bezos, Elon Musk Square Off on Rocket Firsts

By: Doug Mohney    11/25/2015

On Monday, November 23, Blue Origin successfully flew the first fully reusable rocket into space, giving the company first bragging rights. Founder Je…

Read More

Autonomous Car Technology Takes New Leap Forward With Ford, Uber

By: Larry Alton    11/24/2015

The age of the self-driving car is nearly upon us, or at least that's what major technology and automotive companies are hoping. There have been major…

Read More

Unusual but Fun Tech Ideas for 2015

By: Rob Enderle    11/24/2015

Well, it's the week of the big sales, and many of us are planning to buy that special someone a special something. I figured I'd join my peers and poi…

Read More

Locus Telecommunications is Challenging the FCC's Authority, Claiming Due Process Violations

By: Special Guest    11/24/2015

One of a handful of prepaid calling card companies slapped with a $5 million fine by the Federal Communications Commission (FCC or Commission) for its…

Read More

Kaspersky: Three Out of Four Users Have Trouble Spotting Big Threats

By: Steve Anderson    11/23/2015

We all know that spending on cybersecurity has been on the rise lately, as everyone from major corporations to military groups ramp up their cyberdefe…

Read More