The US Internal Revenue Service (IRS) has failed to activate protections for the victims of at least 89 data breaches, leaving at least 11,406 US taxpayers without protection from fraudulent tax filings.
These are the findings of a recent audit performed by the Treasury Inspector General for Tax Administration (TIGTA), an internal auditing service part of the US Department of Treasury.
More specifically, TIGTA investigators looked at the IRS Return Integrity and Compliance Services (RICS) Incident Management Tracker Matrix. This is a database of data breaches that external entities report to the IRS.
If Social Security numbers have been leaked during these data breaches, RICS operators are supposed to record the data breach inside the Incident Management Tracker Matrix and load a list of compromised Taxpayer Identification Numbers (TINs) inside the IRS' Dynamic Selection List (DSL) --an internal IRS security system that keeps an eye on tax filings containing the leaked TINs, looking for evidence of fraudulent filings.
But TIGFA found that IRS RICS operators have failed to record all reported data breaches and load all the exposed TINs inside the DSL. Below are the audit's summarized findings:
We obtained 3,486 e-mails located in the IRS's mailboxes used to receive reported data breaches from external entities. We judgmentally selected a sample of 527 e-mails that reported data breaches from the universe of 3,486 e-mails. We then compared the 527 e-mails associated with a data breach to the RICS Incident Management Tracker Matrix to determine if the RICS organization properly recorded all data breaches. We found that 89 (17 percent) were not recorded and monitored on the Incident Management Tracker Matrix.
For the 89 data breaches that were not recorded in the Incident Management Tracker Matrix, TIGTA determined that for:
- 70 data breaches - the RICS analyst did not ask the external entity to provide the IRS with a list of stolen TINs. Internal guidelines require RICS analysts to request the stolen TIN list from the external entity and record the data breach on the Incident Management Tracker Matrix. If a TIN list cannot be obtained, an analyst should still document the data breach on the Incident Management Tracker Matrix with the notation, "unable to secure taxpayer data."
- 15 data breaches - external entities provided the IRS with a TIN list but analysts failed to record the incident on the Incident Management Tracker Matrix. As a result, 11,406 SSNs associated with these breaches were not added to the DSL. For 79 of these SSNs, the taxpayers already experienced the burden of an identity thief using their SSN to file a fraudulent tax return. The thieves used the taxpayers' SSNs to file either a Tax Year 2016 or 2017 return.
- 4 data breaches - the analysts did request the TIN list but the external entity declined to provide one. However, similar to the first bullet, once the external entity declined to provide the TIN list, RICS analysts did not attempt to create a list of stolen TINs as required.
The TIGTA report blames IRS RICS staff for all the discovered issues, but also RICS management. This is because the Incident Management Tracker Matrix database does not track whether RICS operators receive compromised TINs for a reported data breach, but also doesn't track if the operator attempted to obtain a list of compromised TINs, or create one themselves.
TIGTA officials said the IRS promised to index the missing 11,406 TINs and also amend its data breach indexing procedures to avoid similar incidents in the future.
Related security stories:
- Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency
- US Cyber Command starts uploading foreign APT malware to VirusTotal
- DOD disables file sharing service due to 'security risks'
- States activate National Guard cyber units for US midterm elections
- After the midterm elections, the odds improve a little for a US privacy law CNET
- US, Russia, China don't sign Macron's cyber pact
- US has a cyberattack ready if Russia interferes with 2018 midterms TechRepublic
- US senator working on bill that would jail CEOs for user privacy violations
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7