The Inevitable: Death, Taxes and Breaches

IMGCAP(1)]Benjamin Franklin was a smart guy when he said back in 1789, “In this world nothing can be said to be certain, except death and taxes.” He hit the nail right on the head.

A new year is upon us, and what does that mean? Another tax season! Taxes have definitely changed over the years as have the ways they are paid. According to efile.com, over 90 percent of 2014 returns were e-filed, an increase of roughly 5 percent from 2013 returns. In fact, the percentage of individuals who e-file returns has steadily increased since 2001. With the increasing reliance on technology for filing returns, is the federal government taking the necessary measures to protect personal information?

Breaches at the IRS
Unfortunately, data breaches and cyber-attacks at the IRS are not a new thing. In 2014, the U.S. Government Accountability Office published a report, IRS Needs to Address Control Weaknesses that Place Financial and Taxpayer Data at Risk. The report found that while the IRS had made progress in addressing known control weaknesses, “weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data.” Although protecting taxpayer data and securing computer systems remains a top priority for the IRS, they continue to face challenges and continuous breach attempts.

In early 2015, hackers used the IRS’s “Get Transcript” application to access approximately 334,000 accounts and retrieve millions of taxpayer transcripts from prior years. Although the information used to access the system was not stolen from the IRS, hackers were still able to utilize stolen information from other sources to answer various personal identity and security verification questions to access the application. According to The New York Times, the hackers in the 2015 breach were able to profit $50 million from filing fraudulent returns.

A more recent attack earlier this year involved attackers using personal data and malware to generate e-filing PIN numbers. According to the IRS, “We identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN.”

An e-file PIN is a required step in finalizing and submitting online tax returns. What does this mean for these 100,000 taxpayers? The earliest that 2015 tax returns could be filed was January 19. Since the tax deadline isn’t until April 18, many people haven’t even begun to think about filing their returns. This is great news for fraudsters. This gives them plenty of time to file a fraudulent return using the names of the 100,000 taxpayers impacted and reap the rewards of their refund before they even notice.

Why the IRS?
Why does the IRS find itself continuously under the threat of attack? The IRS, like all departments of the federal government, is susceptible for a couple of reasons. First, government agencies store financial and personal information on hundreds of millions of individuals. If attackers can get in, it’s a one-stop shop. They can either utilize the information for their own personal gain, such as filing fraudulent tax returns in order to collect the refunds, or sell the information to anyone who might be interested, such as criminal organizations either in the U.S. or other countries.

Second, the government’s security measures and cyber defenses that are currently in place are not robust enough to thwart attacks such as the attacks at the IRS. Due to the increased risks that the government faces, more stringent security measures are needed that are currently not in place.

What Could Have Been Done
Is there anything that could have prevented the most recent cyber-attack at the IRS, or any cyber-attacks in government agencies? There are a couple of things that could have been done that might help prevent attacks, or at least made them more challenging for attackers. President Obama’s 2017 budget proposal, along with the administration's Cybersecurity National Action Plan, or CNAP, are steps towards reducing the overall risk faced by government agencies.

Increase Cybersecurity Funding
It is clear that in order to reduce the number of attacks targeting the federal government, more funding will need to be dedicated to cybersecurity. According to the Federal Times, Obama’s 2017 budget gives cybersecurity programs a 35 percent funding increase over 2016 funding, bringing the total funding to $19 billion. Although this is a step in the right direction, more funding is still needed. According to US News and World Report, the FBI’s cyber budget in 2015 was $470 million, which was only 5.7 percent of the agency’s requested budget.

Update Legacy Systems and Increase Security Measures
There are no ifs, ands or buts about it—many government systems are outdated. In fact, much of the increase in the cybersecurity budget aims to replace antiquated systems. The Office of Personnel Management hack in 2015 that exposed the personal information of 22 million federal employees was primarily due to the OPM utilizing databases that were decades old. US News and World Report states that the last time the OPM’s databases were updated was to fix the Y2K bug! The issue with outdated systems is that several of them cannot accommodate the updated security measures required in today’s world. For example, multi-factor authentication and encryption were not integrated into any of OPM’s 47 major applications.

In the case of the IRS breach, the e-file PIN that is required to file tax returns is an attempt at two-factor authentication. However, all that is required to obtain an e-file PIN is personal information that could be readily obtained by anyone (as evidenced by the attack). In order to prevent attacks like this from happening in the future, the IRS should consider strengthening their two-factor authentication and providing something such as the Identity Protection PIN (IP PIN) to anyone who is interested, not only those taxpayers who have already experienced some sort of identity breach. However, the IP PIN has also proven to be vulnerable to criminals (see IRS Suspends IP PIN Service for Identity Theft Victims).

Continue to Hire Security Personnel
The first step in combatting security issues is to hire personnel who understand them. The CNAP has called for the creation of a Federal Chief Information Security Officer, or CISO, position. The Federal CISO would be responsible for driving IT changes across the government—primarily focusing efforts on modernizing the government’s legacy IT systems that are still in use.

A Federal CISO is a good start, but several other security personnel are needed throughout various government agencies. Fortune magazine estimated there were 30,000 open cybersecurity positions in the federal government in 2014. Nationwide, the Cisco 2014 Annual Security Report found that the shortfall of cybersecurity personnel is roughly 1 million and expected to increase to 1.5 million by 2019.

Increase Security Awareness
Filling those empty positions requires an increase of security awareness throughout the country. Obama’s 2017 budget proposal also includes $62 million to stimulate the development of cybersecurity curriculums. These programs would range from grade schools to universities and assist in developing IT awareness at a young age.

It is also important that all individuals understand security threats facing them and their employers. Employers should ensure they have the appropriate information security policies and procedures in place and that employees are made aware of the company’s information security policies through company-wide security awareness trainings.

How to Safeguard Personal Information
When it comes to personal information, it’s not possible to be too overprotective. Be careful who you share this information with, and how. Be sure if you are sharing personally identifiable information (PII) online that you are using a secure internet connection and that the website or application is secure.

Also, be sure not to leave PII out in plain sight where anyone could see (and steal) this information. Be diligent about checking your mail if your mailbox doesn’t lock. With 1099s, W-2s, K-1s and a plethora of other tax information being mailed to millions of taxpayers this time of year, it would be easy for someone to simply swipe these forms from the mailbox and obtain your PII. Once you are done with forms containing your PII, be sure to store them in a secure place or shred them to prevent someone from obtaining this information.

Don’t Put Off Until Tomorrow What You Can Do Today
I get it. Taxes aren’t fun and there is still nearly a month left before the filing deadline, so what’s the rush? The earlier you file, the safer you are. With the recent attack on the IRS involving the theft of e-file PINs, the first to file is the first to get the refund. Don’t allow a hacker time to file a fraudulent return in your client’s name and collect the refund!

Be Skeptical
According to Symantec, spear-phishing activities, in which an email fraud targets a particular organization and pretends to come from a trusted source, reached a 12-month high. In November 2015 with 102 attacks per day. With the advances in technology, phishing emails are beginning to look more and more like legitimate emails, appearing to come from your bank or some other legitimate source. If you see something online that you aren’t sure about, chances are it is a scam. If you or a client gets an email from a bank requesting that you confirm a Social Security Number or other personal information, call the bank or stop by to see if this is a genuine request.

Pull and Monitor Credit Reports
Be diligent about monitoring credit reports for unusual activity. There are several online services that offer free credit reports and several credit card agencies also provide credit monitoring services. Take advantage of this! If you are checking your credit reports on a regular basis, you will probably know if you have fallen victim to identity theft long before you are alerted by the hacked organization.

Is My Information Protected?
While the federal government is taking steps to increase security measures and limit the risk of future attacks, the threat of a breach cannot be entirely eliminated. With the reliance on technology increasing each year (especially when it comes to filing tax returns), it is imperative for individuals to understand the issues and how they can best protect their personal information. It is important for everyone to stay abreast of security issues and be leery of sharing personal information.

Lauren Williams is a senior associate with Schellman & Company, Inc. Lauren has five years of public accounting experience, which includes international tax consulting/structuring, financial services risk and regulatory consulting, extensive experience in mortgage servicing, and, most recently, SSAE 16/SOC attestations. Lauren specializes in controls assurance, with primary focus on SOC 1, SOC 2 and SOC 3 engagements for a variety of clients. She is a licensed CPA in the state of Georgia and received both her Bachelor of Accountancy and Master of Taxation from the University of Mississippi.

For reprint and licensing requests for this article, click here.
Tax practice Data security Tax season Tax fraud
MORE FROM ACCOUNTING TODAY