What Can We Learn from the IRS Hack?

Nichola Parker was interviewed on the subject of data security and the IRS hacking for ABC7 News, WJLA’s Government Matters with Diane Cho on August 23rd, 2015.

We have seen a spate of high profile breaches in the past two years from Target, Home Depot, JP Morgan through to the more recent attacks on Anthem, Premera and the Office of Personal Management (OPM). After each attack, where personal information is stolen, people scratch their heads and try to fathom how this information could be used. What are the hackers hoping to achieve? Where will my information end up? Well, what if some of these hacks were connected?

Theoretically, let’s look at how the OPM hack could relate to the recent Internal Revenue Service (IRS) hack. In the OPM hack, personal data was seized by intruders, including social security numbers and peoples’ dates of birth – data which could be used in future attacks on different systems or businesses. When cybercriminals hacked the Internal Revenue Service, the breach occurred at the authentication layer. According to the IRS the hackers used personal information already obtained to circumvent the agency’s multi-step authentication process.

To the lurking cyber thief, only two hacks are necessary to completely bring an organisation to its knees. Hack 1: obtain massive amounts of data including personal information about American citizens. Hack 2: Guess the answer to a simple personal validation question. This can be as seemingly benign as the answer to “What was your first dog’s name?” or “What was the first street you lived on?” and yet it’s all the IRS hackers needed to find out in order to infiltrate the organisation. This is not a sophisticated attack – it’s a dictionary attack. Hackers build algorithms that run through thousands of common words and phrases, or indeed through a street directory, seeking to find the answers that match.

So, what is an organisation to do? The logical step would be to build a complex, secure authentication system. But here’s were organisations – and the IRS – are faced with a big challenge: if the identity validation process is too difficult, then people will fail or find it cumbersome, and the system won’t be adopted. On the flip side, if our authentication process is too simple, hacks are more likely to occur.

The American business community needs to wake up. Hackers are persistent, agile and determined. Once they are past the identity process of your security system, they’re in. And what’s more, once they’re inside they can lay in wait, undetected, for hundreds of days while they are collecting data.

The solution is simple: hackers want data, organisations must protect the data itself. Rather than relying on the security of their networks or their devices, it is truly the data itself that matters. Files are constantly shared via email, business collaboration tools, messaging services and social media – yet the files are unencrypted, almost begging to fall into the wrong hands. If encrypted data is stolen, it is worthless to the hacker.

Now back to the IRS, officials said they are notifying all potential victims and offering them free credit-monitoring services. In my opinion this is far too reactive. I entrust my valuable personal data to the IRS, who, I might add, make it mandatory to collect this type of information, and I think it is fair to demand more from our Government when it comes to protecting our data.

The IRS have said it is hard for them to stop hackers. They also estimate that they have paid $5.8 billion in fraudulent refunds to identify thieves in 2013. That is the GDP of a small country being spent fixing a system that remains vulnerable to hackers and future attacks.

If organisations applied a multi-layered approach to security and encrypted their data, it would not only go a long way towards reducing the cost of cyber crime in the United States, but keep our businesses safe from cyber crime.