Everyone fears the Internal Revenue Service! But now it’s for a new reason. It seems using two applications they provide exposes taxpayers’ data to security breaches. The IRS deployed two critical computer systems although they new of their weak security and the risks they embedded.
The Treasury Inspector General for Tax Administration (TIGTA) office, explains DarkReading, has recently issued a statement saying the IRS’s mainframe-based Customer Account Data Engine (CADE) for managing taxpayer accounts and its Account Management Services (AMS) for IRS access to taxpayer data contained security flaws that the IRS identified but did not fix before deploying them last year.
The billion-dollar, high-sensitivity CADE system is one of the key elements of the IRS’s computer modernization program, and processed about 20 percent of the 142 billion tax returns filed to the IRS.
AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report.
TGTA has no proof on any data being compromised or being accessed by any wrong doers, yet the risk has been quite real.
Biometrics security systems are cool and receiving quite a lot of media exposure. They are also starting to become common place, as more devices, such as laptops, start to implement them and thus individual users gain access to these technologies. But are these security devices really effective?
ITSecurity.com has recently published and extensive article analyzing the pros and cons of different biometric measurement, such as fingerprints, iris and facial traits. While fingerprint readers can be fooled with latex copies, more secure readings, based on iris or facial recognition, are either expensive or restrictive. For example eye/iris readings leave out disabled personnel. However, fingerprind readers are common place and anyone can recognize them and understand their utility.
In the end, the most effective biometric security system seems to be based on facial readings. This metric isn’t exclusive when it comes to the people it can scan, but access is definitely restricted by costs. So what would you choose? Higher quality or a lower cost?
The most recent survey released by security firm RSA showed that technology workers are very resourceful when it comes to bypassing corporate security policies to get their work done more effectively.
The 2008 Insider Threat Survey showed that over 50% of those surveyed believed security policies to be too restrictive. The overwhelming majority is familiar with the policies enforced by their employers, that’s why they know how to circumvent them. As a consequence, more than half manage to access their work email accounts from public computers and even more check their emails through public wireless networks.
According to the Security Focus article on the survey, respondents came from three different countries, the US, Brazil and Mexico.
What solutions are there for companies in these conditions? Tightening security would definitely not be the answer. Instead of blocking their access to technological advantages, they should adapt their security solutions to enable access while still preserving the desired level of security.
Deloitte has recently admitted it had lost a laptop containing pension details on hundreds of thousands of individuals. What is different though is that finally this laptop contained encrypted information, was password-protected and no misuse of the stored information has been discovered. While losing laptops is not something to take lightly, I am happy to report those having it won’t be able to easily access the stored information.
So what did the laptop contain? According to the Register, 150,000 railway workers’ details, details on all UK Vodafone staff with pensions and as well as records of other unnamed pension funds were stored on the said laptop. No addresses or bank information though. How it was stolen? From a handbag of a Deloitte employee. Vodafone Staffers, as well as the railway workers have received letters letting them know what has happened soon after the theft. We’re now looking forward to see where the “thorough investigation” takes Deloitte.
If there were any Indianapolis inhabitants whose past hid minor drug or alcohol offenses, their secrets were revealed by the new website developed for the city of Indianapolis. 33,000 individuals were affected by this incident, the records being available for 11 days from September to November.
The spreadsheet accidentally posted online contained the names, dates of birth and social security numbers of all those charged with minor offenses in 2006 and 2007. It was taken down on October 9, when the Information Services Agency found out about it.
To make sure no other breaches occur, the entire site was taken offline and replaced with its old version, although officials told Indystar they were confident no other sensitive information was exposed. The cause of this breach was human error, concluded Kevin Ortell, interim chief information officer.
About 1,000 former student of the Southwest Mississippi Country College were warned against identity theft threats after having their private details exposed on the internet. The breach was quickly fixed by the college’s representatives.
Steve Bishop, vice president of student affairs, quoted by WXTV, stated that the breach was unintentional and it was fixed in about 12 hours after being discovered. The exposed data included names, addresses, and only in some cases social security numbers.
If you’re thinking to prevent inside threats by hiring consultants from outside your company, think again! They’re drive to make money using others’ identities is a genuine concern. Take Shell Oil for example, who caught one of its IT contractors stealing personal data on its employees from one of the US databases of the company.
After descovering the unnamed employee of a vendor working on said US database used the social security numbers and other info of four employees to file bogus unemployment claims, Shell Oil warned all its former and current personnel they have been exposed to identity theft. More on the ongoing investigation in the Register.
As more and more data breaches are revealed and debated online, the number of victims of such incidents increases. From never-ending sales calls to having items charged on your card to seeing credit ratings go down the drain to identity theft, these people are the ones who feel the most powerful consequences, not the companies where the breaches occur.
So what are these people to do to protect themselves and get back to how things were? In what credit ratings are concerned, UK victims are advised to use the Data Protection Act to rebuild them. According to E-Victims org, a former support group for cybercrime victims quoted by the Register, even after establishing fraud and absolving themselves of liability to fraudulent debt, data breach victims still have poor credit ratings.
As credit agencies rely on data from lenders, not on corrections communicated by those who borrow money, the organization says the Act could be used to force lenders to correctly communicate the status of fraud and data breach victims. Otherwise, even if they get a new credit, victims of such breaches will still have to pay higher interest rates. The Register also directs victims to a factsheet published by E-Victims.org aimed to help them with their credit reports.