The Other IRS Scandal-Socializing Social Security Numbers

By Peter Bernstein July 10, 2013

There has always been a suspicion here in the United States that the Internal Revenue Service (IRS) in many ways is the poster child for “The Gang that Couldn’t Shoot Straight!” And, just when it seemed that the agency might be going under the radar from the revelation that it had seemingly favored questioning the non-profit status of political groups known as 527s of only one political persuasion, the National Journal has come out with a story that the IRS committed what could be an equally problematic bureaucratic blunder by unwittingly exposing social security numbers. 

In fact, according to a recent audit by the independent transparency and public-domain group Public.Resource.org, literally "tens of thousands" of social security numbers of members of the aforementioned 527s were on the Internet for about 24 hours after being discovered. Talk about pouring fuel on the fire.

The article goes into the forensic investigation done by Public.Resource.org’s founder Carl Malamud, which led to his discovery and notification to the IRS of the data breach. It involved evaluation of tax form information called T-990s and the 527 database, which in the name of transparency the IRS routinely shares with the public. Let’s just say it is discouraging to see the carelessness the IRS exercised in both exposing the sensitive information contained and its tardiness in taking some of it out of public view. It reads like a bad movie plot, although in the movies it would be clear that there was some evil force involved rather than an organizational screw-up. 

Image via Shutterstock

The IRS, in responding to the article, said it is, "Assessing the situation and exploring available options… When we were alerted last week that a substantial number of social security numbers were posted on IRS.gov in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public Web access to the records…The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations. The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including social security numbers, in their public filings."

In short, this seems like a case of blaming the victim. 

In commenting on this, Dave Anderson, a senior director with the data-centric security specialist with Voltage Security, stated that, “The problem with modern IT systems is that data can be replicated, shared and moved across multiple systems, quite literally, at the touch of a button.  This requires data to be protected across its entire lifecycle, not only when it is stored away.”

He added, “The takeaway for me is that this saga highlights the need to obfuscate, or de-identify, the sensitive information in your organization, wherever it is stored and however it is used and moved. The problem with multi-dimensional data – especially spreadsheet or SQL database files – is that it is very difficult to understand which elements contain private data. For this reason, encryption and tokenization of all data becomes a driving imperative.”

The highlight of this saga for me is that assuming things are secure, especially such things as truly sensitive data like social security numbers even in the hands of an agency that should be hyper-sensitive about its protection, is an assumption needs to be constantly tested. In this case, it was a watchdog organization that caught the problem before it really exploded. However, the Anderson comments as they pertain particularly to enterprise IT organizations need careful consideration. 

The Anderson focus was on encryption, but reality is security is also about taking a holistic view that involves mitigating risks involving not just the integrity of the data itself, but also the people that handle it, how it is accessed and by whom, how it is disseminated and to whom, along with the policies and rules and enforcement procedures and technology used to assure such things are less likely to happen in the future. In that sense, maybe the IRS acting as a poster child for bad practices, is not such a bad thing.




Edited by Rachel Ramsey
SHARE THIS ARTICLE
Related Articles

Why Blockchain Could Be a Gamechanger

By: Paula Bernier    1/22/2018

Blockchain has become closely associated with the controversial topic of cryptocurrency. And that's fine because blockchain is an enabling technology …

Read More

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More