Skip to content

IRS Secret Files Data Breach and Your Business

The recent story by ProPublica dubbed by their president Richard Tofel called “the most important story we have ever published” is gaining traction and attention.

The IRS hosts highly sensitive tax information on every American citizen and business and such a breach is a violation of privacy entrusted to the IRS. Tax information is understood to be confidential and disclosure or improper use done knowingly or recklessly could lead to criminal liability and/or imprisonment under – “Taxpayer Bill of Rights 8: The Right to Confidentiality.”

We do not know how this nonprofit investigative news operation got its hands on this highly confidential information and it seems unlikely ProPublica would reveal its source(s). We are left, therefore, to speculate on what may have happened.

First of many more to come

ProPublica’s top editor Stephen Engelberg said in an article with the WSJ, “We anticipate covering this for many, many months, if not years. We have really sort of scratched the surface of what needs to be said and drawn from this material.” The article also mentions that the investigation is based on “a vast trove of Internal Revenue Service data on the tax returns of thousands of the nation’s wealthiest people, covering more than 15 years.”

That clearly means there is more news from- the Secret IRS files. This leads us to the important question:

“How safe is everyone’s tax information and who would have access to them?”

Hopefully, the investigation by the federal authorities and IRS on the leak – if information was hacked or came directly from within the IRS – will shed light on the integrity and availability of this confidential information.

Basic Cybersecurity recommendations

Keeping the discussion and debate on the consequences in case of a breach and the strength of IRS multistage authentication and layered security systems, let us now look inwards, to make sure your data is adequately protected.

This incident stresses the importance of having well-defined and up to date cyber defenses in place for every business out there. Without getting too technical, here are a few simple recommendations that everyone, (even those who are not tech-savvy) can follow to secure their online presence.

First let us understand that security is everyone’s responsibility, so make sure you cover the basics, irrespective of who manages both your cybersecurity and your accounts. Basic Cyber Hygiene includes:

  • Use strong passwords (passphrases are recommended) and keep them highly confidential.
  • Change your passwords frequently and if in case you share the password with someone, change it as soon as the task is complete.
  • Use Multifactor Authentication (MFA). MFA is an option that allows users to receive a security code, for example, as a text or call to a mobile phone or an email.
  • At a minimum, use basic security software that includes essential tools including virus/malware protection and a firewall. Make sure to switch on automatic updates.

Here are a few universal recommendations you can ask your cybersecurity vendor to provide.

  • Perform Vulnerability Assessment and Penetration Test (VAPT) at least once per quarter so that you can identify and prioritize risks.
  • Create multiple data backups regularly and take other necessary steps to avoid the cost and reputation impact of a ransomware attack.
  • Provide customized alerts, security recommendations and reports specific to your assets, industry and team to comply with industry standards and regulations.