The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

IRS Employee Stole PII, Committed Fraud

by Chris Brook on Thursday October 10, 2019

Contact Us
Free Demo
Chat

The case illustrates that the government agency could be doing a better job safeguarding tax payer data.

An Internal Revenue Service (IRS) employee used his privileged access at the government agency to steal the details of Americans, open credit cards in their names, and rack up nearly $70,000 in charges over the course of two years.

The Treasury Inspector General for Tax Administration (TIGTA) is currently looking into the incident, according to an affidavit filed in the U.S. District Court for the Eastern District of Virginia last week.

The issue involving the actual theft of data occurred from January 2016 and December 2017; over that span the employees stole personally identifiable information (PII) in order to open three new credit cards. From January 2016 to February 2018 he used those cards to buy $69,000 in goods and services.

The employee, an information technologist with the IRS, confirmed to a special agent with TIGTA in September that he received the credit cards and used them to purchase goods and services for his personal use.

While it details all of the fraud the employee was able to perpetrate, the court document doesn’t get into details around how the suspect obtained the data, however.

The affidavit points out the IRS employee had two of the credit cards delivered to his home address. He submitted the third credit card application using an IP address linked to his home address, in Virginia. He then proceeded to make a handful of everyday purchases, at BJ’s Wholesale Club, Lowe’s, Designer Shoe Warehouse, but also booked plane tickets using the fraudulent cards, to Sacramento and back, to Miami, and Montego Bay, Jamaica.

Again, while it's unclear how the employee stole the data – it’s possible he could have written social security numbers down, or taken a photo of his computer screen on his phone – the case still lends credence to recent claims by federal officials that the IRS isn't doing enough from an information system security control standpoint to prevent data theft.

A Secretary of Treasury appointed group, the Electronic Tax Administration Advisory Committee, told Congress earlier this summer that because of shortcomings at the IRS, more taxpayer information is being exposed to cybercriminals at the service than it should be.

A month later, in July, the U.S. Government Accountability Office warned the IRS's Commissioner in a report (.PDF) that it observed "ongoing and new information system security control deficiencies" that while not an overall weakness, were enough to pose a "a significant deficiency in IRS’s internal control over its financial reporting systems."

In its audit, the GAO said it found 14 security control deficiencies. One of the issues could have let users download an application's entire database of information "even though the function is not needed for business purposes," another allowed some users "unnecessary access to certain databases supporting tax processing systems."

"Financial reporting and sensitive taxpayer data on IRS computer systems will remain vulnerable until the agency addresses the deficiencies for which we previously made 107 recomendations... related to access control, configuration management, segregation of duties, and contingency planning..." the GAO report reads.

Tags: Financial Services

Recommended Resources


  • An overview of the FFIEC CAT
  • How to use the CAT to identify areas of risk
  • How Digital Guardian helps reduce these risks
  • A compliance timeline for all 18 provisions
  • Financial services case studies
  • How Digital Guardian can help

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.