68 comments

[ 2.0 ms ] story [ 66.0 ms ] thread
Accenture is the contractor responsible.
Perfect. It’s not like the gov to pass the buck to a corpo.
IMO the resposibility is entirely on IRS. They chose the contractor, they wrote the legal terms and conditions, they vetted them out and they presumably did the due diligence for security.
They also provided them with training, access rights, and general governance over the data.

I'd personally blame 70% of the blame on the IRS, 30% on the contractor. Organizations should not be able to skirt blame by way of contractor IMO. Hope the IRS gets fined for gross negligence and breach of data. (lol)

How many non-background-checked foreign employees work at Accenture on this project and have access to all these files anyway?
I strongly encourage you, without a hint of sarcasm or glib, to file a FOIA request to find out.

https://muckrock.com is my weapon of choice for data liberation, but a letter or email works equally well.

Here’s the problem: government contracting is complicated enough that only a few companies can wade through it and the overhead encourages big general services contracts so you don’t have to repeat that process every time someone wants to setup a Wordpress blog. Those companies put in bids featuring their key staff, who are qualified. That’s who the government meets with and who answers all of the questions.

Contractors come and go, and the government isn’t supposed to micromanage them - that’s one of the features theoretically making them less expensive than staff - so those qualified people may never be seen after the start of the project, or they might be in some kind of “oversight” capacity where they’re quintuple booked theoretically keeping the much cheaper people doing the actual work from failing too badly.

On the government side, they likely don’t have qualified technical staff (or enough of their time) after years of “cost savings” where every dollar cut from the staff budget corresponds to 2-3 dollars going to contractors. That means that problems will progress further, especially because the contract PM isn’t going to say that the contract developers are doing terribly after months of saying sprint velocity is good. Even if they’re on different contracts, the odds are good they’ve either worked together before or don’t want to rule out future work at the other company.

So, things careened down the tracks and now people are realizing that the green lights on dashboards were in fact optimistic. The government can ask for things to be fixed but if there’s pushback, they risk _every_ project on that contract and it’s expensive because they have to show some kind of malfeasance to get money back or possibly even to stop wasting more (want to bet there’s never been any scope creep which could be blamed?). It’s _much_ easier to try seeing whether the claim that this was a one-time mishap was true than to deal with all of that.

Any time you see something like this, it’s always possible that you have someone totally failing to do their job but it’s far more likely that you’re seeing a bunch of people trying to do their best with a system they know isn’t effective but which they have no direct means to improve.

That the buck stops with the IRS (agree with you there) doesn't absolve Accenture of its responsibility to the IRS.
My agreement is with the IRS, not Accenture.

The IRS is 100% responsible.

I agree with your assessment of responsibility, but it’s not clear the extent that your obligation to the IRS is even an “agreement”.
Have you not been told the Good News of The Social Contract? /s
the forms in question are US non-profit declarations 990-T. The same data was released a second time, minus less than 2% of them. There are a lot of dark corners in the USA non-profit world, in case you don't know it. The vast majority (a million?) of USA 990 non-profits are the sort of small time operation you might expect, but there is a tiger of a long-tail on that one. Many major hospitals and the US Football league NFL, are "non-profit" and would file the same forms.
The US Football league NFL also has an antitrust exemption so is deserving of public scrutiny.
NCAA is predicted to go for antitrust exemptions as well as lobby for legislation to dump the requirement to pay student athletes - all things Baker is expected to do, leveraging his political connections as a former governor and figure in the republican party.
I'm under the impression that the NCAA (or at least the schools) fought hard to legalize paying student athletes. Most big schools were illegally paying their players before it was allowed.

if they wanted to spin off college football to a semi-pro league and let actual students play the game instead of "students" who get private tutors, sleep in a private dorm, have a private cafeteria, take exclusive classes, and generally don't interact with the rest of the student body, I would support this movement.

I don't believe this is correct, which is why competing leagues pop up every few years.

You might be thinking of Major League Baseball?

A trust or monopoly doesn't prevent competitive companies forming, just makes it very hard for them to succeed.

Baseball has an exemption due to a court case, though their hiring cartel was broken in the courts, resulting in free agency (same for NFL, with the Roselle(?) case).

But the important one is all about the money: monopoly control over monetization of broadcast. I direct you to 15 U.S. Code § 1291 which you can read for yourself at https://www.law.cornell.edu/uscode/text/15/1291

That only applies to TV broadcasting rights agreements between teams, it's nothing like the actual league antitrust arrangement MLB has. This is why you always see competing leagues springing up in football, but not baseball.
> US Football league NFL, are "non-profit"

This is not true now, and arguably never was (at least not with the intention it's generally applied).

The NFL relinquished its tax exempt status in 2015, but even before that the NFL was not a 501(c)(3) but a 501(c)(6) (a trade organization) -- for interests of fairness (proven more necessary recently by actions of the Washington Commanders) the NFL collected ticket moneys and broadcast earnings and then distributed the money to the teams, where it was taxed. Without that, they'd have been taxed on the collection and on the disbursement, which would have meant that the teams were taxed twice.

There are, to my opinion anyway, better reasons to be mad at the NFL than as a tax dodge, because they weren't ever particularly good at meeting the definition.

https://www.snopes.com/fact-check/tax-season/

does a 501(c)(6) file a form 990-T ?
> This is not true now, and arguably never was

you mean to say in your first breath that the 501(c) series of US IRS tax structures are not called "non-profit" but then in the next breath confirm that the NFL was in fact 501(c)(6) ?

I do not say I was "mad" so, let's not include that as a summary of what I wrote, eh?

Apologies for failing to quote the entirety of relevance. My statement isn't that they aren't a non-profit, but that their status as a non-profit isn't particularly suitable for inclusion in a case of "dark corners" of non-profit organizations.

If that wasn't what you were trying to do, then I apologize for letting my confirmation bias get in the way of more accurately addressing the criticism.

Fortunately my opaque non profit files a different 990
(comment deleted)
> "The agency is reconsidering its relationship with the contractor Accenture on this project, according to a person familiar."

Any time I start to feel that Impostor Syndrome creeping in, I need to remind myself that there's someone who's working at Accenture probably earning 2x or 3x what I am, who gets to fuck up big not once but _twice_ doing the same wrong thing.

Doesn't Accenture offshore a lot of its work to India and other third-world countries?

So the Accenture engineer probably gets paid a lot less than you.

Edit: According to Wikipedia, yes:

> In 2015, the company had about 150,000 employees in India,[31] 48,000 in the US,[32] and 50,000 in the Philippines.[33]

Edit2: s/outsource/offshore, thanks. What I intended was: companies hire Accenture to outsource their development work to third-world countries.

And is far less qualified too.

I’ve crossed paths with these “consulting” types twice in my career. I don’t mean to generalize, but these so called “engineers” didn’t understand source control or versioning, didn’t understand basic programming concepts, and lacked any sort of communication skills.

It seemed like you were working with someone who watched a couple YouTube videos (and no more than a couple videos) on some framework, with no former programming, design, or critical thinking skills, and they were now given a job title.

> > In 2015, the company had about 150,000 employees in India,[31] 48,000 in the US,[32] and 50,000 in the Philippines.[33]

Pedantic: Accenture assigning work to their employees in India or the Philippines is not "outsourcing." The work was outsourced when it was handed off from the client paying the bills to Accenture, regardless of where the Accenture employees are located. By definition, Accenture cannot outsource work to their own employees.

"Offshoring" is what Accenture does by having the work done by their employees in lower-cost regions.

The reality is that South Asian subsidiaries have a revolving door of employees and are functionally equivalent to the contract labor firms. Their work output isn't any better.
Thanks for the correction.
> So the Accenture engineer probably gets paid a lot less than you.

Given that roughly 1/3 of Accenture employees are in the US, is there any evidence for you to believe that this was someone outside the US?

even in the US accenture's IT is not known for high wages. The only reason people stay there is being enslaved by US work visa like L-1, which allows Accenture to pay below market wage and keep employees on a short leash.

You won't be able to find a single american software engineer in Accenture, because of work conditions and wages, all engineers are foreigners on visas. The only americans there are salesmen and admin staff.

> You won't be able to find a single american software engineer in Accenture, because of work conditions and wages, all engineers are foreigners on visas.

That is false.

You do know that legally Accenture has to go above market wages in that locale for H1B workers?

Using your own stat, it is objectively probable (66% chance) that this was someone outside the US.
That is not my stat. It was provided by the OP.

1. How much of that split is between engineers and non engineers?

2. Outside the US can also imply other high cost regions like London.

All I am asking is evidence this was a low paid non-US engineer that caused this not assumptions rooted in bigotry.

No, government contractors do not staff foreign nationals to US projects.

US contractor labor rates are typically below market, and typically auditable as GSA labor rates (T&M).

It’s possible there was “outsourcing” to some lower-income area in the US. Most large firms setup large dev factories in the Midwest/south-Midwest.

One caveat to your logic... some sensitive pieces of financial information cannot be offshore. We've had to use onshore contractors because regulations wouldn't allow us to use offshore for some of our sensitive financial data in the system, and I think it also covered SSNs.

Although I would still guess that for reasons other than being offshore, they are earning market or less (or overworked to reduce any higher comp to lower effective hourly rates).

Accenture relies on a revolving door of young, cheap, inexperienced labor.

A developer in the U.S. has far better employment options.

In the EU they did near-shoring to Ukraine... it's a shit show.
They are like IBM. They can fail at everything forever and still get work.
Everyone I've met at accenture actually was paid below market, and usually billed at 5x their cost, or more.
To be fair, they probably have hours of meetings telling them about the importance of compliance and the dozens of onerous security related administrative burdens that go with it.

It can be hard to do the real important security stuff when burdened by the administrative security and audit requirements requisite with government work.

A lot of smart people leave in frustration.

(comment deleted)
Title should probably read IRS Contractor accidentally releases the data again…

This is bad of course, but I’m kind of amazed it was only 112k. Given the 330some million citizens, and presumably some more entities that also pay taxes, this is a relatively small number.

I'm less concerned about the occasional unintentional f'up, and much more concerned about the targeted and politically motivated intentional leaking of information.
Are you saying “I’m not concerned about data leaks that I could potentially be affected by and have my own personal information leaked through as much as I am about a celebrity billionaire getting their tax records released after years of litigation and after lawsuits going all the way to the Supreme Court (or others like him)?”
I would say I find government corruption to be more concerning than government incompetence. For the same reason that I would find a crime committed with intent to be more concerning than a crime committed with negligence. Neither are unconcerning though.
Corruption is a very serious allegation and typically involves some form of quid-pro-quo (direct or indirect, tangible or non-tangible). There are contexts it likely applies, such as lobbyists and PACs getting favorable laws passed, wealthy donors getting ambassadorships, etc, but I can’t see how it applies in this case.

Are you suggesting that everyone involved from attorney generals to congressmen, senators, federal judges, and Supreme Court justices (not a one of which - including the two Trump appointees - formally registered their disagreement with the unanimous decisions/reviews or lack thereof) were, somehow, making decisions and getting something out of deciding/acting contrary to how they would have otherwise?

Look up Lois Lerner and all of the "oops we deleted those hard drives you subpoenaed from the IRS" during the Obama Administration. While some corruption involves a quid pro quo, the most damaging kind of corruption in our government today is ideological corruption.

When an unelected person has an opinion (which they're certainly entitled to have in their private life) and uses their government position to put their thumb on the scale of how people / organizations are treated to match their ideological beliefs, that's a different kind of corruption.

Knowingly and illegally violating somebody’s rights in order to enact some alternative agenda is very obviously corruption, and anybody who knowingly participated in it knowingly participated in corruption. Bribes and paying for influence aren’t the only form of corruption. Any abuse of power is corrupt.
I will not disagree with you there (have an upvote on me), but (not that we can know without it being investigated) that seems to be a straightforward case of employee theft of proprietary documents and data from their employer. If so, that’s something that absolutely should be prosecuted but it’s not a case of systematic/organization corruption (although willfully declining to investigate what happened might very well be).
I think I know the problem, they probably don't have one of those 25 minute annual data governance trainings to teach/remind them how to handle PII.
I think I know the solution, we'll double the training session (we'll use the same training, but make them spend an hour on the same material and time them) and have them do it twice a year! That'll surely reduce error rates by a quarter!
The place I work for (not the government) actually started blocking USB storage devices because of the risk of data leaks. Too many of them involve misplaced flash drives.
What they really need are more agents. I think 87,000 should do the trick.
My new thesis is that an increasing number of problems is caused by human stupidity. We are entering a world as depicted by the movie Idiocracy.
this could be solved by not requiring collection of citizens' private info at gunpoint. but im sure all the idiots who reacted to snowden by building half working "solutions" with "please donate" buttons will not get this.
What a hostile website. I land on the page, a second goes by and then I get a flashing screen that redirects me... to the same page. A few more seconds go by and then I see a "validating credentials" loading message and again just get redirected to the same page. I'm sure my privacy plugins have something to do with this but come on, why do we need to do all this redirecting for just a web article? This could essentially be static!
You're not blocking enough. The site actually manages to display text even with JS disabled which is more than I can for some others.
IRS: Fucking IDIOTS! No Liability, No accountability! Who can SUE the IRS!? :/
While we're at it, what ever happened to the ID.me clusterfuck from earlier this year? As of February they said it wouldn't be mandatory, but all accounts are still being urged to switch to that privacy nightmare.