IRS – Helping You Put Your Data at Risk
Everyone fears the Internal Revenue Service! But now it’s for a new reason. It seems using two applications they provide exposes taxpayers’ data to security breaches. The IRS deployed two critical computer systems although they new of their weak security and the risks they embedded.
The Treasury Inspector General for Tax Administration (TIGTA) office, explains DarkReading, has recently issued a statement saying the IRS’s mainframe-based Customer Account Data Engine (CADE) for managing taxpayer accounts and its Account Management Services (AMS) for IRS access to taxpayer data contained security flaws that the IRS identified but did not fix before deploying them last year.
The billion-dollar, high-sensitivity CADE system is one of the key elements of the IRS’s computer modernization program, and processed about 20 percent of the 142 billion tax returns filed to the IRS.
AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report.
TGTA has no proof on any data being compromised or being accessed by any wrong doers, yet the risk has been quite real.
Employees Dodge Security to Increase their Productivity
The most recent survey released by security firm RSA showed that technology workers are very resourceful when it comes to bypassing corporate security policies to get their work done more effectively.
The 2008 Insider Threat Survey showed that over 50% of those surveyed believed security policies to be too restrictive. The overwhelming majority is familiar with the policies enforced by their employers, that’s why they know how to circumvent them. As a consequence, more than half manage to access their work email accounts from public computers and even more check their emails through public wireless networks.
According to the Security Focus article on the survey, respondents came from three different countries, the US, Brazil and Mexico.
What solutions are there for companies in these conditions? Tightening security would definitely not be the answer. Instead of blocking their access to technological advantages, they should adapt their security solutions to enable access while still preserving the desired level of security.
Caught in the Act: IT Contractor Stole Shell Oil Employee Data
If you’re thinking to prevent inside threats by hiring consultants from outside your company, think again! They’re drive to make money using others’ identities is a genuine concern. Take Shell Oil for example, who caught one of its IT contractors stealing personal data on its employees from one of the US databases of the company.
After descovering the unnamed employee of a vendor working on said US database used the social security numbers and other info of four employees to file bogus unemployment claims, Shell Oil warned all its former and current personnel they have been exposed to identity theft. More on the ongoing investigation in the Register.
Playing Hide and Seek with Private Records
The security breach case we’re about to talk about is both troubling and funny. Missing data found after a few days after the disclosure of the breach, or, in other words, playing hide and seek with personal records is what’s been happening at the Tennessee State University.
After spreading the news that a flash drive containing the financial information and Social Security numbers of more than 9,000 students, TSU thoroughly proceeded to notify their students of the security breach. They also backed their announcement with credit protection for those affected.
TSU has a policy about keeping Social Security numbers in protected files, yet the reality was that the missing flash drive wasn’t believed to be encrypted or password-protected. Pretty standard case up to now, as hardware is lost and leads to significant data loss, security policies are not complied with, etc.
But! Yes, there’s a “but”, a few days after the announcement, a student turned the flash drive in and TSU released the good news. No one really knows why the student had the drive or how he got it; let’s hope the internal audit will clear this mystery.
The fact that security policies are not really complied with no longer surprises any of us. But finding out that any student can get their hands on private records that easily is a bit troubling. And the position of TSU is a bit weird as well: ooouups, we’ve lost some pretty important data on our students! Oh, no, our bad, one of our students had it because we have protocol and policies just to show off!
TJX Effects: Forever 21 Payment Card Breach
It has recently been discovered that the people behind the largest security breach in history, TJX, a heist affecting 46.5 million cards, have also breached US retailer Forever 21, lifting about 99,000 debit and credit cards.
As the Register reported, Forever 21 discolesed the breach on their site, letting everyone know they found out about the heist about a month ago from law enforcement officers. There where 9 specific dates when the payment card system was breached, spread from March 2004 to August 2007. The breach exposed card numbers and expiration dates, along with other details stored but not disclosed by Forever 21.
If you’re looking for the Forever 21 official statement, read the explanation on how to get to it on the Register, apparently it cannot be linked to… So much for transparency and caring more about your customers finding out and being protected than your image, which will be affected anyway…
