Just in time for tax season comes word of all kinds of security breakdowns within important tax-related organizations.
In its review, the IRS identified unauthorized attempts involving about 464,000 unique Social Security numbers. About 101,000 Social Security numbers were used to access E-file PINs.
Also, several tax preparation companies reported breaches, which were likely caused because of poor password management. One of those breached companies was TaxSlayer, whose director of customer support Lisa Daniel was quoted by eSecurity Planet:
As a result of ongoing security reviews, TaxSlayer identified on January 13, 2016 that an unauthorized third party, whom we believe obtained your username and password from another online service, may have accessed your TaxSlayer account between 10/10/2015 and 12/21/2015.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The reason for wanting to hit organizations involved in the tax industry is simple, as Dodi Glenn, VP of Cyber Security at PC Pitstop, told me in an email:
Companies like TaxAct and TaxSlayer are gold mines for PII, since they often contain names and addresses, Social Security numbers, bank account information, and other data contained on tax returns.
Glenn went on to say that these organizations have a responsibility to do a better job at protecting that information with steps such as conducting regular security audits of their systems or performing code audits on the software they are shipping, whether it is downloadable or on the web.
And I agree with this 100 percent. Organizations need to do their best to protect their customers from potential fraud and identity theft. However, another issue is at hand here. These hacks involved authentication issues and, according to new research from SailPoint, we find that employees are only too willing to compromise passwords, especially if there is a price tag involved – and that price is surprisingly low, with one in seven employees saying they would sell passwords for $150. As Watchpointdata.com reported:
If employees are passing around their passwords, or even selling them, then the prospect of insider threat becomes even more of a likelihood.
Of course, consumers aren’t much better, with the tendencies to reuse passwords or use simple passwords making it easier for hackers to abuse them.
And if that’s the case, no matter how good your company’s security testing is, your data – and just as importantly, your customer’s PII – are at risk.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba