Treasury Department hack raises IRS exposure questions
Monday, December 14, 2020
We all have enough to worry about right now and I don't want to add to anyone's anxiety, but I know some in the tax world are wondering about the implications of the Treasury Department being among U.S. agencies breached by apparently foreign hackers.
Multiple news sources reported this weekend that cyber intruders made their way into Treasury, Commerce and the Department of Homeland Security. Word of the U.S. government hacks come on the heels of an announcement by a global cybersecurity firm that it had been breached.
Right now, we don't know exactly what happened at Treasury. We're still awaiting an official response from that department, which includes the Internal Revenue Service.
And let me be clear that so far there is no indication that any IRS data was compromised by the Treasury hack. But I do know that I and most of my tax community colleagues will feel much better when those offices officially tell us our (and our clients') information is secure.
Meanwhile, here's what is known and/or being reported on the cyber attacks.
Server software appears as illicit entryway: Industry experts said the attack on Austin, Texas-based SolarWinds has hallmarks of similar Russian cyber activity. SolarWinds' server software is used by hundreds of thousands of organizations worldwide, including most Fortune 500 companies and multiple U.S. federal agencies
Federal investigators also are still investigating another recent cyberespionage campaign involving prominent cybersecurity firm FireEye. FireEye's customers include federal, state and local governments and top global corporations.
SolarWinds reportedly was the apparent conduit for the Treasury and Commerce Department hacks and the FireEye breach.
Investigation just beginning: Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA ) who was fired last month by Donald J. Trump after Krebs vouched for the integrity of the presidential election, said in a tweet Sunday that "hacks of this type take exceptional tradecraft and time."
Also, hacks of this type take exceptional tradecraft and time. On the 1st, if this is a supply chain attack using trusted relationships, really hard to stop. On the 2nd, I suspect this has been underway for many months. Need good detections to find victims and determine scope.— Chris Krebs (@C_C_Krebs) December 13, 2020
Krebs also commended his former CISA teammates, saying "they know how to do this. This thing is still early, I suspect. Let's let the pros work it."
That wait-and-see approach also is evident at the hacked agencies, which have yet to comment on the breaches. I get it. The federal government needs to get a handle on just what and how much of its online information was accessed.
One government official did say it was too soon to tell how damaging the attacks were and how much material was lost.
Corporate officials were a bit more talkative, saying it looks as if the attacks had been underway as early as this spring, meaning they continued undetected through months of the pandemic and the election season.
IRS exposure concerns: Some in the tax community are a bit concerned since that time frame covers the 2020 tax season's delaying filing of tax returns, as well as when the IRS began issuing COVID-19 relief payments.
Some of those coronavirus payments went to people whose full information wasn't previously in the agency's database until they registered it online to get their money.
Again, not to overreact, but Treasury is the home to the IRS, which is a regular target of hackers. In addition to the routine taxpayer identity theft concerns, the IRS had some of its programs attacked and successfully hacked before, notably back in 2016 when a breach of its Get Transcript tool exposed 100,000+ accounts. That online service was down for more than a year while security was upgraded.
So Treasury' eventual — and by eventual, I'm hoping that means soon — answers and explanations about this latest breach are important.
It's not just the millions of taxpayers, whose accounts are maintained by the IRS, who want some clarity and assurances, but so do the tax professionals nationwide whose professional data also is in IRS hands.
Staying on top of cyber reports: Until then, in addition to following the usual media resources — the Associated Press, New York Times, Washington Post and Reuters, which broke the story, have good overviews, as does Reuters' cyber reporter Chris Bing — I suggest you check in regularly with Krebs on Security, the online cyber security reporting of Brian Krebs, who despite the shared surname, is not related to the former CISA Krebs).
Krebs' piece on the SolarWinds situation has lots of good background and further explanation for all us non-cyber security experts.
Of particular note was Krebs' sharing of all of SolarWinds' federal customers. In addition to Treasury and Commerce, they include the State and Justice Departments, all five branches of the U.S. military, the Pentagon, the National Aeronautics and Space Administration (NASA), the National Security Agency (NSA), the National Oceanic and Atmospheric Administration (NOAA) and, wait for it, the Office of the President of the United States.
So don't be surprised for this investigation to take a while.
You also might find these items of interest:
- All states now have tax data breach notification laws
- IRS security breach highlights need to rethink online privacy
- Former college student pleads guilty to trying to hack Trump's taxes
You can follow this conversation by subscribing to the comment feed for this post.