The Other IRS Scandal-Socializing Social Security Numbers

By

There has always been a suspicion here in the United States that the Internal Revenue Service (IRS) in many ways is the poster child for “The Gang that Couldn’t Shoot Straight!” And, just when it seemed that the agency might be going under the radar from the revelation that it had seemingly favored questioning the non-profit status of political groups known as 527s of only one political persuasion, the National Journal has come out with a story that the IRS committed what could be an equally problematic bureaucratic blunder by unwittingly exposing social security numbers. 

In fact, according to a recent audit by the independent transparency and public-domain group Public.Resource.org, literally "tens of thousands" of social security numbers of members of the aforementioned 527s were on the Internet for about 24 hours after being discovered. Talk about pouring fuel on the fire.

The article goes into the forensic investigation done by Public.Resource.org’s founder Carl Malamud, which led to his discovery and notification to the IRS of the data breach. It involved evaluation of tax form information called T-990s and the 527 database, which in the name of transparency the IRS routinely shares with the public. Let’s just say it is discouraging to see the carelessness the IRS exercised in both exposing the sensitive information contained and its tardiness in taking some of it out of public view. It reads like a bad movie plot, although in the movies it would be clear that there was some evil force involved rather than an organizational screw-up. 

Image via Shutterstock

The IRS, in responding to the article, said it is, "Assessing the situation and exploring available options… When we were alerted last week that a substantial number of social security numbers were posted on IRS.gov in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public Web access to the records…The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations. The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including social security numbers, in their public filings."

In short, this seems like a case of blaming the victim. 

In commenting on this, Dave Anderson, a senior director with the data-centric security specialist with Voltage Security, stated that, “The problem with modern IT systems is that data can be replicated, shared and moved across multiple systems, quite literally, at the touch of a button.  This requires data to be protected across its entire lifecycle, not only when it is stored away.”

He added, “The takeaway for me is that this saga highlights the need to obfuscate, or de-identify, the sensitive information in your organization, wherever it is stored and however it is used and moved. The problem with multi-dimensional data – especially spreadsheet or SQL database files – is that it is very difficult to understand which elements contain private data. For this reason, encryption and tokenization of all data becomes a driving imperative.”

The highlight of this saga for me is that assuming things are secure, especially such things as truly sensitive data like social security numbers even in the hands of an agency that should be hyper-sensitive about its protection, is an assumption needs to be constantly tested. In this case, it was a watchdog organization that caught the problem before it really exploded. However, the Anderson comments as they pertain particularly to enterprise IT organizations need careful consideration. 

The Anderson focus was on encryption, but reality is security is also about taking a holistic view that involves mitigating risks involving not just the integrity of the data itself, but also the people that handle it, how it is accessed and by whom, how it is disseminated and to whom, along with the policies and rules and enforcement procedures and technology used to assure such things are less likely to happen in the future. In that sense, maybe the IRS acting as a poster child for bad practices, is not such a bad thing.




Edited by Rachel Ramsey
SHARE THIS ARTICLE
Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More