What Everyone Needs to Know About the IRS Breach


As a cyber security professional balancing the unique needs of the organization with industry best business practices is always a challenge. Tactics, techniques, and procedures are often a reflection of an organization's prevailing mindset. People have become accustomed to operating in a particular manner. For the security professional, this can create formidable opposition to any proposed changes.

The recently reported Internal Revenue Service "breach" is no exception. While it was not (technically speaking) a data breach, tax returns were filed fraudulently after taxpayer accounts were accessed using stolen information. Events at the IRS allow us insight into a battle fought within organizations every day. Increasing technical security measures at the cost of user convenience.

More importantly, these events cast a deeper light on exactly how entangled the cyber universe has become. Criminals do not need breach a system to steal our identities and squander our livelihoods. The Internet of Things is a tangled web of relationships that can and will work against us. Unless of course we work to change the culture within our personal lives and within our organizations.

What Everyone Needs to Know

According to a report by Brian Krebs, systems at the IRS, were not breached. Criminals used data collected elsewhere to assume the identities of taxpayers. Then they used this information to access transcripts of previous tax returns. Take a moment and think about the information contained on your tax return. Now, take another moment and think about what you (or a criminal with that information) could do.

Once criminals have access to Personally Identifiable Information (PII), they have hit the mother load. Now they can begin gathering answers to your personal identity verification questions. Typically, this only requires a quick perusal of your social media profiles, and they have all the information they need. It might be weeks or months before you even know you're a victim.


Another important facet of this incident is how they obtained the PII in the first place. John Valentine of the Utah State Tax Commission believes third party providers (such as Turbo Tax and Intuit) might be to blame. However, I don't think that we should focus on who was to blame. There is a much more important lesson to learn here.

Our relationships with people and businesses potentially expose us to all sorts of vulnerabilities. In the current landscape, our refrigerator is connected to Wi-Fi, our home alarm systems operate via the Internet, and our cars are connected to the Internet. In some way, all of these devices share or access information about us.

Everyone (not just security professionals) needs to understand this one important fact. Today everyone is connected to people and devices they have never met.

The Twenty Percent Solution

Since 2014, we have been inundated with story after story of data breaches. Attackers compromised large corporations for extended periods of time. They announced the breach, offered free credit reporting, and focused on mitigating their legal exposure.

The average everyday person (business person, entrepreneur etc...) was left to figure out how this impacts their life and how they can defend themselves against it; technology is not the answer. If we want to protect our families and our livelihoods, we have to become awarer. Understanding how our lives connect via the Internet is vital.

Everyone has access to technology. Of all the organizations breached in 2014 all implemented various levels of technology. Clearly technology is not the be all end all solution. According to the Verizon 2015 Data Breach Investigations Report, non-technical attack methods remain prevalent. Changing the prevailing mindset in our personal and professional lives will yield much greater results.

The Botton Line Up Front

My Army training taught me to know myself, know the battlefield, and know my enemy. Times are changing, and now everyone needs to understand these three concepts. The exponential growth of the cyber universe exposed everyone to dangers we have never previously considered.

Are you prepared? What is the biggest security challenge you face in your life or organizations?