IRS leaks 100K taxpayers' data to identity thieves

The IRS sent extensive dossiers on 100,000 US taxpayers to identity thieves who used weak "secret security" questions to trick the agency's "Get Transcript" service.

Like many services, the IRS had a lost password recovery system that relied on answers to standard questions, which the identity thieves were easily able to extract from public sources like credit-reporting bureaux.

But the IRS's vulnerability to this kind of breach is much, much worse than any of those other services, for two reasons. First, the IRS's files contain more compromising personal information than virtually any other entity. Second, because the IRS won't let you protect yourself from this sort of attack by using false answers to those questions: it's a criminal offense to lie to the IRS about your sensitive information, and its security questions rely on the answers in your tax-return, as opposed to answers you've supplied for the purposes of authentication.

When I'm prompted with "secret questions," like "What is your father's middle name," I use apg to generate a random string like "#TTU3@\COy,waA@F!X2dE+(1cI+BqrLbOi8,)w]fuqHJFC(E6Z062FAoB^qy^`w" and use that as the answer. The IRS system denies this self-help measure to people with the nous to use it.

In her fantastic debut column for The Intercept, Farai Chiyeda digs into the ways that companies are able to get away with breaches virtually consequence free, and the conflicted role of the government in regulating breaches — if the state believes that it can only preserve itself through spying, it's not exactly in a hurry to make businesses airtight and hacker-proof.

While it would be easy to blame consumers — saying they should monitor their information more closely — the problem of data theft is endemic, and frustration is justified. The EFF's Tien says, "Back in the day we'd be asked, 'What are the 10 things a consumer can do to protect themselves?' I hate to be a gloomy Gus, but the message I give journalists and others is there's basically nothing you can do. It's like saying, what can you do about climate change by yourself … when the problem is structural architecture and the flow around your data." (The EFF does offer individuals Privacy Badger, a tool that blocks third parties from tracking which sites you visit as you surf the Internet.) Politicians, Tien notes, including the first successful data miner in chief, President Obama, have "very mixed incentives about stomping on this area."

Your Data is Showing: Breaches Wreak Havoc While the Government Plays Catch-Up [Farai Chiyeda/The Intercept]

IRS Statement on the "Get Transcript" Application [IRS]

(Image: IRS 1040 Tax Form Being Filled Out, Ken Teegardin/Senior Living, CC-BY-SA)