On Monday, the Internal Revenue Service (IRS) widened the scope of the breach it first announced in May, saying that accounts belonging to up to 390,000 taxpayers are now at risk.
While the data breaches at the IRS and another major government agency, the Office of Personnel Management (OPM), vary in their perpetrators' ultimate goals – one for financial gain and the other for espionage – both demonstrate loopholes in government systems, and most notably in verification.
OPM traced its monumental data breach back to a third-party contractor's credentials. The IRS said its May data breach stems from information gleaned from an “outside source,” according to its official statement.
Since its data breach, OPM and other federal agencies have upped their authentication measures, particularly for privileged users accessing sensitive information. For agencies dealing with the broader public, it remains to be seen how secure verification will be handled, particularly with the IRS.
The agency's breach occurred after attackers already obtained “sufficient information” from an outside source, allowing them to “clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the agency said.
These questions often rely on seemingly obscure information, which used to be difficult to find, Bill Ho, CEO of Biscom, said in an interview with SCMagazine.com. Personal verification previously relied on phone calls with an agency employee, but now with social media and a wider online presence, “you can find out or guess a lot of the answers to the questions that are being asked,” Ho said.
The system does have its merits, though, considering individuals of various ages and tech familiarity access their past tax filings online.
“The government has a ton of people in its database and all this really confidential information, and they're designing their systems around people who aren't necessarily tech-related,” Ho said. “It's everyone. They've got to make [their systems] accessible by the majority of people who are out there.”
The IRS wouldn't comment on two-factor authentication and whether it has plans to roll it out.
“Finding [this personal information] for an individual is difficult,” Leo Taddeo, CSO of Cryptzone, said in an interview with SCMagazine.com. “But finding it for someone, anyone, will work, especially if you cross databases, and not to mention what's available on the criminal marketplace.”