On May 26, 2015, it was widely reported that over the last four months, criminals accessed information related to at least 100,000 taxpayers. Specifically, the criminals accessed the information through the agency’s “Get Transcript” application that allows taxpayers to obtain information from prior tax returns.
This incident, which the IRS was careful not to call a breach, is troubling because the criminals used the application on the agency’s website exactly the way it was designed to be used by the taxpayer. The agency has pointed out that in order to gain access, the criminals needed to have a significant amount of information gathered from other sources. That is, in addition to common identifiers such as name, address or Social Security numbers, the criminals would have needed “out of wallet” information such as answers to questions about a taxpayer’s first car, high school mascot or other information used to create heightened security. The agency reports that the criminals in this incident may have obtained the “out of wallet” information from taxpayers’ social network websites. There is speculation that the criminals may use this information to file false tax returns next year.
This incident may not only impact the taxpayers who had information stolen, but if their previously filed returns were accessed, the criminals now have information concerning the taxpayers’ children and their Social Security numbers.
While this incident at the IRS is still developing, it sheds light on the fact that complying with the current Federal and state regulations may not be sufficient to fully protect stored data. There is no information at this time indicating that the IRS was not in compliance with all relevant laws and regulations. Unfortunately, lawmakers are only able to respond to breaches and other cyber security incidents and cannot keep up with the rapid evolution of hackers and other criminals. The protection and use of “out of wallet” information has not been addressed by legislatures. The current situation at the IRS demonstrates that the best strategy (assuming cost is not a factor) is to not stop at the mandated requirements for data storage.