The AP is reporting that the IRS didn’t really know how many taxpayers had their information stolen by hackers who used the Get Transcript web site.
Originally, the IRS said that hackers tried to get information for about 200,000 taxpayers and were successful in getting information for 100,000 of them. Originally, they said the hack started in February.
Now they are saying the hack started in November and the hackers attempted to get information for over 600,000 taxpayers and were successful for over 300,000 taxpayers.
That means that they were off by a factor of 3 in how many taxpayers had their data stolen. That is a big discrepancy.
The fact that they did not know when the hack started or how many records that the hackers attempted to get and succeeded at getting is not a big surprise. While we can point to antiquated systems in the government – the IRS has been trying to “modernize” their systems unsuccessfully for years, many private businesses are in the same boat.
Even for private businesses who don’t have antiquated systems, they often don’t log all of the information necessary to answer those questions. And, if they do, they often don’t save the data long enough to have it around when the breach is discovered. The issue is usually cost.
The specifics of what happened is the balancing act that every organization has to deal with – CONVENIENCE OR SECURITY.
The IRS, like lots of organizations, opted for convenience.
All that was required to get a copy of your tax return “transcript” (the data on your return) was a few bits of supposedly private information – birthdate, the amount of your income from last year – things like that.
With all the breaches in the last few years, that supposedly private information is no longer private.
Any company that assumes that this sort of “out of wallet” information is really private is playing Russian roulette.
After the breach became public, the IRS shut down the web site. Sort of like closing the barn door after ….
The convenience vs. security aspect comes from the fact that you are trying to make things easy for your customer. In the case of the IRS, the customer is the taxpayer, the convenience is making it easy to get a copy of your tax return.
Web site password resets are an example of this in the private sector. To make it convenient when customers forget their passwords, web sites often give you a link that you can click on to reset your password. Often all you need is access to your email to reset your password.
The good news for the IRS is that they are unlikely to get sued and even less likely to go out of business.
That is not the same for you. If you were to lose control of customer information for 300,000 customers, you are likely to get sued and for many small businesses, they go out of business.
So, as I always say – security or convenience. Pick one. My suggestion is that you pick carefully.
Information for this post came from the AP.