IRS Data Breach Shows Why The Government Needs to Modernize Its Online Security, Now

FILE - In this Feb. 2015 file photo, President Barack Obama speaks during a summit on cybersecurity and consumer protection,
FILE - In this Feb. 2015 file photo, President Barack Obama speaks during a summit on cybersecurity and consumer protection, Friday, Feb. 13, 2015, at Stanford University in Palo Alto, Calif. The House on Wednesday is expected to pass long-awaited legislation designed to thwart cyberattacks by encouraging private companies to share with the government information about the methods of their attackers. (AP Photo/Evan Vucci)

What should have been a trustworthy digital service has been compromised, in the latest sign that the U.S. government can't be relied upon to keep the personal data of its citizens safe. On May 26, the Internal Revenue Service disclosed that sophisticated criminals had stolen tax information from 104,000 Americans via the IRS' "Get Transcript" online service, which allows taxpayers to order copies of their own tax returns and other filings. The perpetrators, whom IRS officials believe were based in Russia and other countries, accessed the transcripts by using people's personal information that had already been leaked elsewhere to answer the multiple-step authentication process the IRS had set up for the service.

Internal Revenue Commissioner John Koskinen testified to the U.S. Senate Finance Committee on Tuesday that the thefts weren't detected until after tax season, because the high volume of legitimate activity had obscured the downloads. According to his testimony, hackers made 200,000 attempts on the "Get Transcript" page, approximately half of which were successful. Koskinen said that more than 26 million tax transcripts have been downloaded since the feature launched in January 2014, reducing offline requests by at least 40 percent. The IRS has taken the service offline, and Koskinen testified that the agency's core system remains secure. Yet the damage to public trust, and to the financial lives of those affected, will linger.

According Koskinen's testimony, the thieves needed to provide a "Social Security number (SSN), date of birth, tax filing status, home address, and an email address" to get through the system. Koskinen said this was once a "perfectly good security mechanism," used in private sector banking, that has since been rendered less effective by things like the "Dark Web," the clandestine online network where stolen information and illicit goods are bought, sold and traded.

In testimony before the Senate Finance Committee on Tuesday, J. Russell George, the Treasury inspector general for tax administration, acknowledged that the impact of the breach could extend beyond the 104,000 people directly affected, given that the personal information of spouses and dependents was also included in the stolen transcripts.

George also said that the IRS had not addressed certain security weaknesses before the attack, failing to upgrade systems that would have deterred the organized exfiltration and subsequent tax fraud.

“It would have been much more difficult if they had implemented all of the recommendations we made,” said George, reflecting his written testimony.

In other words: This didn't have to happen. In March, IT security journalist Brian Krebs warned that the IRS' process for verifying the identities of people requesting a tax transcript was vulnerable to exploitation, because it relied on knowledge-based questions whose answers could be found through public records, stolen credit reports or leaked personal information. That's exactly what ended up happening.

This doesn't look like it was related the financial resources available to the agency, based upon what Koskinen said repeatedly at the witness stand. Instead, it's been alleged that in fact it was poor decision-making that prevented it from happening. According to an anonymous former IT manager for the IRS quoted by Patrick Thibodeau in Computerworld, security staff "would have preferred to implement a more dynamic and aggressive security framework that would have stopped the fraudsters from being able to get in using the information they stole from the third party," but senior IRS leadership allegedly overruled them, choosing instead to roll out a more simple authentication method to encourage use.

The IRS did not immediately respond to a Huffington Post request for comment on the Computerworld article.

It's unclear when or even if the "Get Transcript" service will go back online, or what specific security steps the agency plans to take to keep the service from being compromised again. George testified that as the IRS continues to offer self-assisted digital services for taxpayers, the risk of further data breaches will only grow. On a broader scale, the IRS has announced plans to tighten security across its systems.

If the IRS decides to provide online access to tax transcripts again -- or if it decides to create much more ambitious personalized services to give Americans access to their own data, or even if it wants to offer return-free filing -- it's going to need do much better. An obvious approach familiar to millions of consumers would be to take a page from Google, Facebook, Twitter, LinkedIn and other technology giants that provide multifactor authentication, allowing taxpayers to associate a phone number or an application with their IRS account so they can receive a second, one-off password every time they log in.

In fact, that's exactly what President Barack Obama told the federal government to do in October, when he issued an executive order focused on improving the security of consumer financial transactions. Following that order, a group of government agencies submitted a plan to Obama that would "ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate."

When he signed that executive order, Obama might not have been thinking specifically about the IRS, but this incident should move the agency to the top of the priority list for getting online identity right. It's too important to get it wrong again.

CORRECTION: Due to an editing error, a previous version of this article misstated that Koskinen's testimony blamed unimproved security on budget constraints. In fact, he testified that the two issues were unrelated.