Senate Finance Committee Chairman Orrin Hatch, R-Utah, has written to IRS Commissioner John Koskinen for answers about the massive data breach that the IRS disclosed this week.
Koskinen revealed Tuesday that identity thieves had managed to access the tax returns of approximately 104,000 taxpayers by using the IRS’s Get Transcript online application (see
In the
“As the Senate Committee with jurisdiction over the Internal Revenue Code and oversight jurisdiction over your agency, it is critical that this Committee fully understand what took place, what information was at risk, how this may affect tax administration, and what appropriate legislative responses may be needed to reduce the risk of this occurring again,” Hatch wrote.
Hatch thanked Koskinen for his call last Friday informing him of the data breach and said he would provide his support. “Throughout this investigation, and your investigation into the source of the recent attack, you will have the full support of the committee and, as chairman, I look forward to the swift identification and punishment of those who are responsible for these crimes,” Hatch added.
He noted that last month, he and Senate Finance Committee ranking member Ron Wyden, D-Ore., had quietly launched an investigation into the methods by which computer and online tax preparation services, as well as major prepaid debit card providers, screen for stolen identity refund fraud. Hatch said he would be writing to Koskinen on that matter separately in the coming days, but a key concern of the Committee is the growing threat of SIRF to tax administration. This concern will only be amplified due to the recent IRS breach.
In the meantime, Hatch asked Koskinen to respond to his committee’s staff with a confidential briefing by no later than June 5 about a number of questions, including when the breach occurred, when the IRS learned of the breach and how it became aware, what information allowed the attackers to obtain access, and what is the agency’s understanding of how the attackers gained this information. He also asked if the IRS has information indicating the geographic source of the attack, and whether the attackers subsequently used the taxpayer information obtained in this breach. He pointed to press reports indicating that about 15,000 tax refunds were claimed subsequent to the attack, and wanted to know if that figure is correct. He also asked whether the IRS has requested assistance or information from other federal departments, and, if so, whether it has received that assistance or information.
Hatch's committee plans to hold a hearing on the IRS data breach next Tuesday, with testimony from Koskinen and Treasury Inspector General for Tax Administration J. Russell George.
It’s a good idea for accounting firms to advise their clients about the breach, according to one expert.
“Always educate your customers on this type of breach because not everybody is aware it happened,” said Mark Shelhart, senior manager for incident response and forensics at Sikich LLP, a Chicago-based professional services firm that specializes in accounting, technology, investment banking and advisory services. “For everybody who is looking to get a refund and they didn’t get their money back, it’s in their face. At the same time, a lot of people don’t realize the risks and dangers of what has happened. More importantly folks like Sikich and other accounting firms out there are probably the direct target that the attacker would go after because they need to get that Social Security number and address and that type of information before they can reach into the IRS to make that refund pull. So the dangers of Sikich being the next target are probable.”
Shelhart believes the IRS should use multifactor authentication similar to what Facebook is using to protect against identity theft. “If you log in from a new device of any type, you get a text message from Facebook that says, Hey, you just logged in from a different machine. If this wasn’t you, go change your password,’” he said. “The whole what was your favorite color or what was your first dog’s name?’ is old hat. Nobody should be doing it at that level anymore.”
He also thinks the IRS needs to be relying less on automation to safeguard its data. “We don’t know what the IRS is doing,” said Shelhart. “We’d like to think there’s ample protection, but we don’t think that there’s enough humans looking at the logs or watching the perimeter for this type of attack. If you’ve got $50 million cash sitting someplace, which is the equivalent of what they think that they’ve lost here, you can’t just put a firewall or a fence around the money and leave it sitting. There’s people patrolling looking at the fence, looking at the money, watching the logs and looking at attacks to see what’s going on. We have an attack from an outside group that’s very coordinated happening at a point, and human response could have detected this much sooner than what happened here.”
Should accounting firms be more cautious about safeguarding their own clients’ data if the IRS proved vulnerable? “Let’s be honest,” said Shelhart. “If you compare this with some of the medical breaches, active clients need to make sure that you’re protecting their data, where it’s stored, how many different copies, and there are third parties. If you’re an accounting firm and you have some outside contractor for backups or for whatever reason, you need to make sure that your contractors and third parties are protecting it as well. But also old data—if you’ve got customers that aren’t your customers anymore, how long should you retain that data? Does it need to be online? Should you store it someplace online or is it instantly accessible from every machine within your company?”
