The Internal Revenue Service (IRS) is one of the, if not the, best examples of government incompetence. Almost all of us are required to interact with the IRS. Our interactions, unfortunately, involve handing over a great deal of personal information. This is a major problem since the agency has a poor security track record. Recently it has admitted to losing control over the personal information of 100,000 tax victims:
The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.
Perhaps I’m hypercritical but it seems to me that we shouldn’t have to submit any of this information to an agency that has demonstrated a complete disregard for keeping it safe. I mean, the IRS’s website doesn’t even have a valid means for users to securely connect to it. If the IRS doesn’t care enough to pull a valid Transport Layer Security (TLS) certificate to protect users then why are we supposed to trust it to store our personal information?
The worst part about this is that the 100,000 people who just had their personal information accessed have no recourse. Since the IRS is the government it is shielded from liability and accountability. That makes matters worse since an organization that is shielded from liability has little motivation to invest resources into fixing its mistakes.