29 comments

[ 3.4 ms ] story [ 70.2 ms ] thread
Wow, so who foots the bill for this one?
Who do you think? Taxpayers, of course.
At least the victims are getting letters. Corporations are required to do it, but governments often exempt themselves from the same employment and data handling requirements they place on business.
the article seems to suggest that the hackers had access to stolen data, Target comes to mind within the US. Did Target share the hacked data to the FBI so the feds can cross check with the data irs released and send the offending company the bill before we pick up the pieces. Can the federal government legally do it since the statute of liability has not expired yet? "Is there a lawyer in the house?"

If the hackers had access to data outside the US, then it may have to be us the taxpayers, unfortunately.

How many people will now try to file fraudulent tax returns and claim their identity was stolen in the hack?
That would be pretty silly thing to do and I hope no one actually act on this idea. Hackers enjoy it because they are using "mules" providing their checking accounts and then sending wires or western union transfers. Normal person will get caught. While it is possible to setup perfect crime, I bet most will not be able to and end up in jail if they try.
Pretty silly to take things way too seriously and hate on a decent hypothetical gaming opportunity, don't you think?

With perfect security hygiene, more things are attainable.

But an even more perfect crime is hedging both sides of an option with phony identities, with different amounts, different enough times, different brokerages, different IP addresses, etc.

Feel free to try it out and report back.

people smart enough to pull it off, i believe, can make equal or more money doing legitimate things :) at least i want to believe they can.
(comment deleted)
The congress has been starving IRS of funding to reduce their effectiveness at tax collection. So it's not shocking that environment would create a situation where this type of systemic failure would occur.

A guy I know worked for an IRS regional office in an enforcement/audit role for something like 40 years. He had something like 75 co-workers in that role in 1999 and retired with 8. Technology actually increased their workload, but with less people, they only targeted the most egregious violations.

He stuck around because he was really passionate & dedicated to his work. He was a guru on some very specific/arcane areas and wanted to transition it to somebody. That never panned out, so he gave up and left when his health declined.

I get that quality of IRS work falls with less staff, but on the other hand - maybe it is a good thing? May be it will force changes? While not the worst in the world, USA tax code is... complicated. Maybe it could be simplified.
There's a balance. I think for a system to work, it needs to be fair. If the rules suck, change the rules.

But by implicitly ignoring the rules through inattention, except when you don't, it creates a perception of corruption and arbitrary behavior.

current system appears to work as long as you pump people into system to do work.
I don't see how defunding the IRS does anything but promote a Greece style economy which will rapidly spiral out of control.
Congress is responsible for simplifying it. Defunding the IRS still has no impact on it.
The IRS has no say in the tax code. Their only job is to enforce the law as it is currently written. If you want the tax code to change, talk to your Congressman.
So it's not shocking that environment would create a situation where this type of systemic failure would occur.

The IRS budget is $10 billion/year[0]. Is that enough money to expect decent security? If not, what is? Are we allowed to demand security from smaller organizations, or only from Google-sized or larger?

If we expect small businesses to protect our information, it's not too much to ask for the same from a $10b/year government department.

0. http://www.politico.com/story/2015/06/gop-irs-budget-118835....

The way Federal budgeting works, congress appropriates money for specific purposes. They've had something like $1B in operations funding cut over a 2-3 year period.

The politicians love to hand wave about "big government" and "do something" about the evil IRS. But actual simplification of the tax code would cost their political patrons too much money, so they make it easier for folks to break the law.

Findings from a GAO report this year: http://www.accountingweb.com/tax/irs/gao-report-links-irs-pr...

The actual report: http://www.gao.gov/products/GAO-14-298

(comment deleted)
(comment deleted)
How relevant is funding level to an organization's ability to secure its data? Some very large and well-funded companies have been hacked, and it seems to me that many of the properties of our technology that allow security breaches are independent of funding---security is hard, whether rich or poor.
I'd really like to see a solution to how we validate ourselves to banks and other financial institutions as it becomes apparent that Social Security numbers are no longer an effective barrier to identifying a person. It would be nice if we could easily change our identifier and have a service which banks used to validate against.

Something similar to using Google to logon to certain services rather then creating a user name and password. Then you can make a single point much more secure and difficult to log into.

The downside of this is that I think the US government would have have an in person verification system to get an account. I.E. you go into the DMV, get an account and then you are connected to the service. You can then implement 2 factor authentication, and you link that service to your bank accounts.

I have no clue if this would actually be more secure then what is already in place, but it seems more then likely that hackers already have my Social Security number and my previous residences because of the OPM hack.

Sweden has a system similar to what you describe. It's called BankID and is issued by any bank. You can use it to file your taxes and sign various documents like address change online.
Just another reason I'd like to move to Sweden.
> I'd really like to see a solution to how we validate ourselves to banks and other financial institutions as it becomes apparent that Social Security numbers are no longer an effective barrier to identifying a person.

They were never intended as anything more than a payroll identifier. This was known since its inception [that it was unsafe]. Its simply a question of the scale of exploitation is larger with computers.

The underlying problem is security is a cost center and no one wants to pay for it.

Rather like the Korean or Estonian systems. Although once you implement an ID system it becomes a nonremovable cookie that will end up being required in more and more situations.

(It also means that if the system can be broken you can steal someone's identity very easily and thoroughly)

And given an event like this sucking more resources out of the IRS, I guess I and others marked to be audited (they didn't believe I existed at first?) won't get our returns any time soon.
I would like to close the IRS. Like the (current) Fed, it's spent over 100 years stealing resources (with the threat of violence) from the American people and redistributing them to the top. The rest goes to bombing the 'enemy' of the day and bailing out their various ponzi schemes.