Security, whether on-site or in Cyberspace, is a top priority for EBI and many other companies. It’s a scary world out there. We know it. You know it. It is astounding to discover that our government doesn’t seem to know it, as well.
Two taxpayers recently filed a lawsuit against the IRS in response to the massive data breach that was announced back in May. The named plaintiffs are seeking class action status as the number of affected Americans has been upped from just over 104,000 to more than 330,000.
To understand what happened you first need to know about "Get Transcript," a $2.7 million dollar system that the government set up to allow taxpayers to get a copy of their previous tax returns. Maybe it proved to be a helpful service to some honest citizens, but it turned out to be an open door for cyber-crooks.
According to the IRS, the criminals already had some previously stolen personal information about the taxpayers. With that stolen info, they were able to figure out the security questions on Get Transcript. Once they made it in, they copied down all of their victims’ financial information from their previous tax returns and used the data to file fraudulent returns. They have reportedly stolen nearly $40 million in refunds from the IRS through these fake returns. It’s not clear how many tax returns were filed, but all of those 330,000 households are now at risk.
According to an article on Nextgov.com the agency only divulged the true scope of the breach after the White House asked for a 72% increase in the IRS data security funding.
The lawsuit alleges the IRS knew the website was vulnerable to security breaches but did nothing to protect the financial information. At this point, the IRS has not responded to several media outlets’ requests for comment on the suit. They have announced, however, that all victims of the Get Transcript breach will be offered free credit protection as well as PIN numbers to help protect next year’s returns.
Unfortunately, we are at the mercy of the IRS when it comes to supplying our personal information and financial data, but in the business world we have many choices. Providing personally identifiable information (PII), confidential or sensitive data without properly vetting your supplier can leave cyber-thieves with an unlocked door to your information.
Third-party security risks continue to top the charts as the leading cause for security breaches. Always conduct a risk assessment and thorough analysis of information security protocols before solidifying any partnership. Ensure that any potential partner has an information security policy, documented procedures and on-going training to ensure continual review and improvement. Companies serious about information security will seek out ways to separate themselves through a third-party assessment such as an ISO27001 information security certification.