The Internal Revenue Service (IRS) released on Tuesday, May 26,  2015, news of a major data breach, estimated to have affected 100,000 U.S. households’ tax returns. The data was wrongfully obtained from an IRS application known as “Get Transcript,” which allows taxpayers to access their prior tax returns. This data includes Social Security numbers, dates of birth and street address of individuals who have filed tax returns. The hackers used the data to produce a fake 2014 tax return, and then requested that the IRS send a tax refund to a hard-to-trace debit card.

Although only a small percentage of American households have been affected, the impact is significant. The IRS stated that since the hackers were already in possession of personal information belonging to the affected taxpayers, the hackers were able to clear the multi-layer authentication process, which asks the applicant a series of personal questions with the expectation that only the taxpayer could provide correct details.

Where might a hacker easily access a taxpayer’s personal information? How about social networks such as Facebook, Instagram or LinkedIn? Social networks often encourage members to complete their public profile by answering questions such as:

(1) Who was your high school mascot?

(2) What city were you born in?

(3) What is your favorite sports team?

The social networks presumably want to connect similar individuals–perhaps old friends or schoolmates. On the other hand, hackers can access this personal information as well, especially if your profile is public. Even if your profile is set to a private security setting, hackers may be able to find a way to access this information. It’s best to assume that any information shared on a social media network can be viewed by anyone, and potentially used by them for other purposes.

Look for the Obama administration to increase the IRS budget in 2016 in an effort to enhance its data security infrastructure to protect taxpayer data. We expect further developments in the coming weeks and will keep you updated on any progress.

Print:
EmailTweetLikeLinkedIn
Photo of Jim Merrifield Jim Merrifield

Jim Merrifield is Robinson+Cole’s Records & Information Governance Manager, a member of the Data Privacy + Cybersecurity Team, and a non-attorney contributor to the Data Privacy + Security Insider blog. He has spent more than a decade helping organizations of all sizes, including…

Jim Merrifield is Robinson+Cole’s Records & Information Governance Manager, a member of the Data Privacy + Cybersecurity Team, and a non-attorney contributor to the Data Privacy + Security Insider blog. He has spent more than a decade helping organizations of all sizes, including law firms and  Fortune 500 companies, develop and implement practical information governance strategies, policies, and best practices. He has authored numerous publications and frequently speaks on information governance and data privacy issues. Jim holds a bachelor degree in Legal Studies from Quinnipiac University and is a certified information governance professional (IGP).

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.