Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who should get the blame in IRS breach?

Patrick Thibodeau | June 3, 2015
The IRS may need to re-think the security process it uses to check taxpayer identities for its Get Transcripts app.

One system that the IRS did put in that can be effective is making six-digit PIN available to taxpayers, but Levy said a lot of people are not aware of it.

Nevertheless, attackers have been able to get data to answer out-of-wallet question from publicly accessible records, as well as through the theft of credit records.

"Out-of-wallet challenge response questions, or KBA (knowledge based authentication) would not have offered much of a defense for those who were exploiting the IRS Get Transcript functionality," says John Zurawski, vice president at Authentify, a supplier of authentication services.

Zurawski believes that authentication processes that link phone numbers to people, similar to what online services such as Google now offer, could thwart many attempts to breach records.

IRS funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015 -- a drop of more than 20% , said Matthew Leas, an IRS spokesman, in a response to a query from Computerworld.

This biggest cut happened 2011. Funding fell off a cliff in 2011 and declined to $129 million in 2012, and then rose. (This 2011 budget data was not immediately available when Computerworldfirst reportedon the staffing decline and budget. The available data shows an increase from 2012 to 2014.)

"Complicating this situation even further are staffing issues, both in cybersecurity as well as leadership and executive positions across the agency," said Leas, in a statement.

In addition to a smaller workforce, the IRS "lost several key leaders in the information technology and analytics areas due to the loss of streamlined critical pay authority late last year," said Leas, in a statement.

The critical pay authority allowed the IRS to appoint or retain people with a high level of expertise for up to four years at salary rates above normal government levels. But no one could be paid higher than the vice president, who earns $233,000.

IT appointments accounted for most of the positions filled under this program. The "private-sector expertise had been crucial to introducing new leadership to supplement in-house expertise," according to report late last year by the Treasury Dept.'s Inspector General.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.