Rushed Remediation Leads to Major Issues for IRS
In 2015 the IRS experienced a major security breach, potentially impacting 350,000 taxpayers. The breach was a direct correlation to the lack of controls the Internal Revenue Service (IRS) had in place for taxpayers to use its “Get Transcripts” option. This option allowed taxpayers to obtain their previous years’ tax documentation; however, due to the lack of authentication needed, hackers were able to get taxpayer data rather effortlessly.
Once this vulnerability was brought to the attention of the IRS, they disabled the “Get Transcripts” feature. Authorities also moved the “Get Transcripts” logs, including taxpayers’ personal information, to the agency’s Cybersecurity Data Warehouse (CSDW). The issue with this move lies in a few different areas. First, the proper authority official was never notified of the move, according to Nextgov. Which creates, more issues, considering the CSDW was not designed for the protection of personally identifiable information. Therefore, for the last three years, the 350,000 taxpayers who were originally impacted by this security breach, may have continued to be vulnerable. Tough pill to swallow if you’re one of those impacted.
So who’s fault is it? Sounds pretty self-explanatory — the IRS employees. Hasty decisions were made, and someone should be held accountable for those decisions. But, that is not how the IRS sees it.
Agree to Disagree?
The aftermath of the breach, could have been handled far better. Instead of rushing to remediate the problem, which led to an unauthorized party moving thousands of log files to a data warehouse that lacked proper protection to keep these files, proper controls should be established. The audit of the CSDW left the IRS with four recommendations from the audit team. According to the audit report, those recommendations include:
- Ensure that employees are held accountable for not following established change management policies and procedures and completing requirements as quickly as practicable, thus putting PII at risk of exposure to unauthorized access.
- Ensure that all CSDW security documentation, including but not limited to the risk assessment and system security plans, are updated and completed as required by Federal and agency policies and procedures.
- The Chief Information Officer should ensure that automated controls and processes to capture and monitor the activities of all IRS personnel with access to transactional audit logs containing taxpayer data in the CSDW are implemented.
- The Chief Information Officer should ensure that a complete and accurate inventory of systems that transfer transactional audit logs containing taxpayer data to the CSDW is maintained.
All of which seem legitimate. However, the IRS only fully agreed with two of these recommendations. Check out the IRS management responses in the full audit report, here.
