Criminals have gained access to the tax returns of 100,000 people via the Get Transcript application on the Internal Revenue Service’s website. They then managed to file numerous false tax returns, defrauding the agency of nearly $50 million in refunds before it detected the criminal activity, shut down the Get Transcript app, and started investigating. The IRS has informed the taxpayers whose accounts have been compromised.
IRS Commissioner John Hoskinen said, “We’re confident that these are not amateurs. These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”
The agency said that its main computer system, which handles tax filings, was not breached.
A breach, not a hack
Many are referring to this as a hacking incident, but they are wrong. The criminals already had enough stolen personal information – including Social Security numbers, dates of birth, and addresses – to answer the security questions necessary to sign into the IRS app. Signing in was no more an act of hacking by the criminals than it would have been if the legitimate users had signed in in the same way themselves. The affected taxpayers’ personal information had already been compromised.
Where did the stolen data come from in the first place?
The number of data breaches that have occurred in the last 18 months makes it largely pointless to speculate. The dark web – where stolen information is traded – is awash with compromised data:
According to Gemalto, an estimated one billion records were lost or stolen in 2014, 76% of data breach incidents affected North America, and identity theft was the main motivator for cyber criminals.
So far this year, nearly 125 million health care records have been compromised in a series of HIPAA breaches.
However, these figures only cover acknowledged security incidents: 20% of security professionals say their company has hidden or covered up a breach.
And where does stolen data go?
A recent study by Bitglass found that within 12 days of its being posted on the dark web a spreadsheet of personal data had been accessed from 22 countries across five continents, viewed 1,081 times, and downloaded 47 times. The location of the criminals who targeted the IRS website is not yet known.
If your organization collects, holds, or processes customer information, it needs to keep it safe. An information security management system (ISMS) as prescribed by the international standard ISO 27001 provides an enterprise-wide approach to managing information security risks that encompasses people, processes, and technology.
The external validation provided by accredited ISO 27001 registration will improve an organization’s cybersecurity posture while confirming to stakeholders, suppliers, and staff that best practices are being employed. Moreover, it is also often the case that companies will achieve compliance with a host of legislative frameworks – including state data breach notification laws and federal regulations such as FISMA, the GLBA, HIPAA, and SOX – and international standards like the PCI DSS simply by achieving ISO 27001 registration.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
With their unique combination of standards, books, toolkits, software, training, and online consultancy, these implementation packages provide US organizations with all they need to implement the Standard and ensure their cybersecurity.