When an organization’s data is breached for the first time, you hope it learns from the situation and improves its cybersecurity systems to avoid a repeat.
However, some organizations haven’t learned much at all from a data breach—in case you haven’t noticed, we are seeing some very familiar names returning to the security media headlines. There are some differences to be sure—the attacks against Sony Entertainment were very different from the attacks on Sony’s PlayStation Network hack back a few years ago. When health insurance company Anthem was breached, it took a little while before we were reminded that the company had suffered a data breach before, when it was known as WellPoint.
Today, the IRS has joined the list of repeat-breach organizations. Only a year ago, the IRS reported the personal information of 20,000 employees was exposed because, as Reuters reported:
… [A]n unencrypted thumb drive containing the information was plugged into an employee's unsecured home network, making the information potentially accessible to third parties online.
This week’s IRS data breach is very different from last year’s breach, though. This time, according to an AP report, it was the work of sophisticated criminals who used the IRS’s own online transcript service to gain access to the personal information of 100,000 taxpayers. Stephen Cobb, ESET senior security researcher, told me in an email that he couldn’t help but notice the irony of this particular security breach:
The transcripts are used by taxpayers who are trying to cope with tax identity fraud. Just last week I met two more victims of tax identity fraud, and one piece of advice I gave them was to order their transcript; they can still do that, but now only by mail.
This particular breach also highlights another serious problem that is rarely discussed, according to Jeff Williams, the CTO at Contrast Security. In an email comment, he stated:
It appears that you can set up a more secure credential with the IRS, but I don’t want to have to run around setting up credentials everywhere I want to protect my information. I wouldn’t even know where to start and I’m sure I would miss places.
This isn’t a problem that is unique to the IRS. Think about how you register for just about anything. Typically it’s an email address or some personal information. Hackers can spoof these registrations and hijack your online identity. This whole process is nowhere near secure enough.
Also, the process is designed to make customers responsible for the security practices of an organization. Is that the reason why we’re beginning to see repeat security offenders—do they still consider security to be someone else’s problem? Or do they think that if they correct the breach, the other security holes are magically fixed?
Maybe it’s time that security audits become mandatory.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba