Could the loss of data from the huge Internal Revenue Service master files cause a financial meltdown in this country? That's what some experts are pondering as the U.K. mops up the mess left in the wake of the disappearance of two password-protected CDs containing the country's entire database of child benefit recipients -- 25 million people. The breach, which happened when a third-party delivery company lost the discs, affected four out of 10 people in the U.K., the largest relative segment of a country's population involved in a privacy violation ever publicly disclosed.
The data loss happened in October, but wasn't widely reported until Nov. 20, and news coverage of the event was overshadowed in the U.S. by Thanksgiving week events.
A loss of that scale could have taken place within the IRS, "and we don't know about it," says Gartner Inc. analyst and longtime World Bank executive Avivah Litan. Over the last several years, potentially hundreds of laptops containing sensitive information have disappeared at the IRS, according to an audit reported earlier this year by the Treasury Inspector General for Tax Administration.
Like the U.K.'s HM Revenue & Customs office, the IRS maintains not just names, addresses, Social Security numbers and other personal information for individuals, but also banking details for use in direct deposit of tax refunds. Of the 128 million individual tax returns filed in the 2007 filing season, 46% requested direct deposit refunds. Likewise, the bulk of the $2 trillion processed by the agency in a year are collected via automated banking. That translates to a lot of personal and banking details maintained by the IRS.
Litan says that overall the government has been the "most behind as a sector" in the area of data protection -- "certainly behind the financial services sector." In fact, she points out, most agencies are late in submitting project plans for how they'll protect personally identifiable information, as mandated by a 2007 memorandum issued by the Office of Management and Budget.
"It's not that proscriptive yet," she says. "There are a lot of issues with data sharing. You can change your system, but you can't change your partners' systems. There's a lot of data sharing across agencies."
For example, if an agency decided to eliminate the use of Social Security numbers when data is shared, she explains, the other agency would have to agree to use the new numbering scheme.
How the IRS protects our information
Although the IRS and sources who consult directly to the IRS declined interview requests, some details of the agency's security and privacy initiatives can be gleaned from public sources.
In a congressional hearing on June 8, 2006, Daniel Galik, most recently the IRS's chief of Mission Assurance and Security Services, shared details of his agency's efforts to secure data. Of the agency's 94,000 full-time and part-time employees, more than half are mobile, "authorized to have taxpayer and sensitive information ... at locations outside of IRS office space," said Galik.
Galik reported, "There is no evidence that any IRS systems, including the master files of all taxpayer data, have ever been successfully penetrated or compromised by external attacks."
According to Galik, all IRS computers are equipped with encryption tools, providing what he described as "the capability for at least double encryption and double password protection." The computers also have the ability to encrypt all sensitive e-mails. What that does, said Galik, is twofold. It enables "the IRS to focus increased attention on our internal security controls, to prevent ... compromises that could occur from an attack by an 'insider.'" Also, he said, in the event that a laptop was lost or stolen, encryption would mitigate the loss of sensitive data.
"If it's implemented correctly, I think encryption is probably more than enough," says security consultant, author and blogger Kevin Beaver. But human and operating system configuration issues can still lead to security holes, he says. All it takes is a user leaving a laptop alone without locking the screen -- or configuring it to never lock down, no matter how much time has passed. "There's no encryption ... in the world that will prevent someone from accessing a system unprotected in this fashion."
Although the use of automated encryption exists on the equipment used by IRS revenue agents, Galik said the agency was "pursuing the deployment of a companywide automated security encryption solution for use by all IRS staff." According to an IRS spokeswoman, all of the agency's 50,000-plus laptops had automatic encryption software installed. Those who work on desktops, she says, also have encryption tools, but the process of encoding data isn't automated.
Beaver says that one potential vulnerability with some companywide encryption technologies: They're tied to user logins. "They're only as secure as the user's password and whether or not it's shared or compromised."
To prevent external breaches, Galik testified, the IRS has "100 firewalls and several intrusion-detection devices on our computer systems." But Beaver believes those network controls are "way overrated."
"All it takes is a poorly written Web application, misconfigured database, missing patch or careless user to compromise a network. I see this all the time when performing security assessments," Beaver says.
Galik's major concern is the use of portable storage devices, such as thumb drives. "These devices can be used to store ... taxpayer information and other sensitive privacy information, but yet are so small as to make them more vulnerable to loss and theft," he told Congress. Galik said he had sent a memo to all employees discussing "security guidance" for their use. That included informing people that if the devices were used to hold sensitive data, those files "must be encrypted using IRS approved encryption software."
That's a step in the right direction, says Beaver, but making sure the message gets through is the foremost problem. "It's keeping the issues on the top of everyone's mind, having reasonable and enforceable policies in place, and actually enforcing them through technical controls and management that's willing to walk their talk."
Galik would probably agree. The biggest challenges, he told Congress, are in getting people to use those tools and to follow existing security and privacy policies and processes.
The IRS spokeswoman says that in the coming year, the IRS would be doing an upgrade to its systems to ensure that all data saved to portable media devices would be encrypted. Likewise, she says, all mainframe data shipped to IRS partners undergoes encryption.
U.S. financial implications
"I think an asteroid striking the Earth is a greater probability than a recession happening through somebody draining everybody's bank accounts," says Oliver Ireland, former counsel at the Federal Reserve System and an attorney specializing in retail financial services at Morrison & Foerster LLP.
In the vast majority of cases where information is lost, "it's really lost," says Ireland.
He remembers a case in which a client had a data tape that was lost while the organization was moving offices. When the client went to the moving company to find out if it could be located, it was told trucks were cleaned at the end of the night and anything found in them was thrown into the garbage. "The chances of somebody digging through a dumpster, finding a tape and finding a way to read that tape is probably pretty close to zero," Ireland says.
Denise Chatam, author of the upcoming book Cybercrime: Secure IT or Lose IT and dean of technology at Cy-Fair College in Cypress, Texas, believes the odds of malfeasance are higher than that. If a data tape landed in the hands of someone with malicious intent, "I could go get a programmer, pay him $25 or $30 an hour, and he could translate that data into something that's usable for me," she says. "Now I could take that same information and sell it on the black market."
Quoting previously published research, Chatam says asking prices on cybercrime sites for personal data go from $100 for a Social Security number to $500 for a credit card with a PIN, and up to $5,000 for a Trojan horse program that can transfer funds between online accounts.
The good news, says Ireland, is that there's been a lot of attention paid to data breaches in the U.S. financial world, particularly in the banking system. "There are pretty extensive data security requirements that banks have to meet. They're examined for meeting those requirements," he says. "That doesn't mean that you can't have a slip-up, But it does mean those organizations have spent a certain amount of energy developing programs and educating their people about what to do and what not to do in handling data."
Ireland doesn't believe a massive data loss could ever truly create massive havoc with the banking system in this country. "People have been looking at financial fraud literally as long as there's been finance," he says. "I would worry about it in large dollar funds transfers -- not in consumer transactions. I'd worry about it in corporate transactions. There I could get more money faster." But, he points out, the systems that do corporate wire transfers are also highly secure and have sophisticated control and antifraud techniques.
Gartner's Litan also is skeptical that a data loss could result in a large-scale run on bank accounts. "Certainly, it could transpire in dribs and drabs," she says. "I don't think there could be a run on banking systems, because if there was, they'd just stop all transfers."
But financial fraud at the bank level could happen on a mass scale, says Litan, because banking regulators don't have a good handle on it. "The problem is, it's spread across a lot of different companies. If you look at any individual bank, generally speaking, they spread the pain across thousands of organization and millions of consumers. Eventually, it could build up. ... We could see fraud losses to the point where it's very disruptive."
A more likely scenario, according to Litan: Some terrorist could publish millions of bank account numbers on the Internet, "just to terrorize the banking system," she says. "'Well, we have all your account numbers. What are you going to do about it?'" That would be huge, she says, in the sense of disrupting the "smooth functioning" of the banking system.
Even the tightest security controls in the world are susceptible to the weakest link -- the person with access to the data and what he chooses to do with it. "It's hard enough controlling sensitive data in your own environment," says Beaver. "Once you turn it over to a third party [such as a delivery service], it's anyone's game."
How does a Gartner security expert protect her privacy?
While you may not have too much control over the security measures implemented by the IRS, Litan suggests basic precautions to prevent private information from being used without your knowledge -- measures she follows herself.
- 1) Never give your bank account number online. Litan says she also never shops with a bank account number.
- 2) Only transfer money between accounts that you've set up. Litan never uses a bank that lets her transfer money out of her accounts to another system.
- 3) Don't use online bank payment. "A crook could go in and set up a new payee," says Litan. "So I'm very restrictive about where money goes from my bank account."
- 4) Monitor your accounts closely by studying the transactions. She recommends at least monthly, if not more often.
- 5) Use your credit card. It's easier to get your money back with a credit card than with anything else, she says.
Dian Schaffhauser is a writer who covers technology and business for a number of print and online publications. Contact her at dian@dischaffhauser.com.