Controls Might Have Averted IRS BreachIG Tells Senate Panel IRS Failed to Implement Recommendations
Hackers would have had a tougher time breaching the Internal Revenue Service's "Get Transcript" online service had the IRS implemented the inspector general's security recommendations, Treasury Inspector General for Tax Administration Russell George told a Senate panel.
But in his testimony before the Senate Finance Committee on June 2, George stopped short of saying that implementing those security safeguards would have prevented the breach that exposed 104,000 taxpayer accounts.
"I cannot at this stage give you a definitive answer as to whether or not it would have been possible," George said of preventing the breach. "But I can say it would have been much more difficult had they implemented all of the recommendations that we made."
George said that since 2011, the IRS had failed to implement 44 security recommendations, including 10 recommendations that came from audits conducted more than three years ago (see IRS: 2 Audits, 2 Conclusions on Risk Management).
The hearing focused on the breach revealed last month of the IRS Get Transcript online service that involved hackers circumventing authentication protections to gain access to tax records (see IRS: 100,000 Taxpayer Accounts Breached).
A Stark Reminder
"This incident provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers who are anonymous, persistent and have access to vast amounts of data and knowledge," George said.
In his testimony, IRS Commissioner John Koskinen painted a bleak picture of the current state of security for IRS information systems. "We are running an antiquated system, with some applications that are 50 years old," he said. "We haven't even been able to provide patches for all of the upgrades. Some of our systems don't have patches because they're no longer supported by the providers."
Both witnesses testified that the Get Transcript breach emanated from criminal gangs operating in several countries, not just Russia, as some news accounts reported. "They are, in fact, operating globally [and] are not constrained by geographic locations," Koskinen said. "But our experience in looking at syndicates around the world is that they cooperate when it's in their interests and they cross national boundaries very easily."
The witnesses declined to publicly name the other countries where the hackers are located, citing the continuing investigation into the breach.
Balancing Ease of Use with Security
George said that making Get Transcript user-friendly might have contributed to the breach. "As the IRS is attempting to make the experience between the taxpayer and IRS more user friendly, they are giving [hackers] equal opportunities to access information in ways heretofore that did not exist," he said. "It's a true challenge for the IRS to make a balance between ease of access and the security."
The Get Transcript online service, which was taken down when the breach was discovered, will have enhanced security when it's restored, Koskinen said. As a result, taxpayers may find it more cumbersome to access the system, he acknowledged.
Before the breach, some 23 million taxpayers had used knowledge-based authentication, or KBA, that required them to answer personal questions to gain access to their accounts, Koskinen said. Some security experts say the hackers may have used personally identifiable information stolen from other breaches to answer those questions and gain unauthorized access to taxpayers' information (see IRS Authentication Method Criticized).
As a result of news coverage about the Get Transcript incident, as well as other breaches in business and government, Koskinen said consumers realize that tougher security requirements are needed to protect their accounts.
"Taxpayers and customer are willing now, and understand the need to accept a higher level of burden," he said. "No matter how important it is to provide excellent taxpayer service, we have to focus as much as we can on the security of the data. That's a critical issue for us."