IRS sends tax information to the wrong person
Technorati Tag: Security Breach
Date Reported:
11/17/07
Organization:
United States Department of the Treasury
Contractor/Consultant/Branch:
Internal Revenue Service (IRS)
Victims:
United States taxpayers
Number Affected:
18
Types of Data:
"detailed tax information" including names, addresses, telephone numbers, Social Security numbers, and birthdates
Breach Description:
A man in Oregon requested a transcript of his tax history from the IRS and was surprised to find that he received detailed tax information about 18 other United States taxpayers in addition to his own.
Reference URL:
Northwest NewsChannel 8 (kgw.com)
Report Credit:
Wayne Havrelly, kgw.com
Response:
From the source cited above:
The envelope from the IRS was scribbled out by hand.
He was expecting a transcript of his tax history, which he requested. Along with his tax history, he received detailed tax information about 18 other people!
It included pages of information with sensitive information like social security numbers, birthdates, addresses, phone numbers, even salary information.
Congressman David Wu looked at the information and said, “It looked like someone just went into the back room, photocopied a bunch of documents and scrawled out an envelope and put it in the mail and sent it.
Congressman Wu said it's a careless breach of personal information.
[Comfyllama] Absolutely! I like how Congressman Wu took the time to comment.
Unit 8 contacted several of the 18 people who had their personal information released. None of them had heard about he situation from the IRS.
[Comfyllama] "Unit 8" is the news organization that reported this breach. 18 people have had their personal information compromised (in this breach) and they have to find out through a news reporter. Disturbing.
So what did the IRS tell Congressman Wu about the situation?
“That they looked into it, that their privacy policies prevent them from telling us the results of their internal investigation,” Wu said.
[Comfyllama] What a joke. Their "privacy policies" state that they cannot share any details of their internal investigation?! What do the "privacy policies" state about sending personal information in the mail without regard to security?
An IRS official told me all unauthorized disclosure of taxpayer information is thoroughly investigated.
[Comfyllama] Yeah you dumb taxpayer, just trust them.
Now for the IRS’s take on that handwritten envelope. The IRS says it's not unusual. Sometimes addresses are printed, sometimes they are handwritten.
[Comfyllama] Sometimes they send information to the right people, sometimes they secure your personal information, and sometimes they don't do either.
Victim Comments:
“I thought that looked very strange, not like something from the IRS,”
“I was outraged, I just couldn't say anything for a while.”
“I have an idea that whoever did this made a major mistake and i hope at the very least they're instructed that you won't do it again,
Commentary:
I always feel helpless when I think about the IRS. The IRS seems so aloof and unaccountable. The IRS should be accountable for their actions and their data security procedures should be open to public scrutiny. There is no security in obscurity.
Organizations would do well to not send personal information in the mail. Criminals going through mailboxes is becoming more and more common.
Past Breaches:
Unknown
Date Reported:11/17/07
Organization:
United States Department of the Treasury
Contractor/Consultant/Branch:
Internal Revenue Service (IRS)
Victims:
United States taxpayers
Number Affected:
18
Types of Data:
"detailed tax information" including names, addresses, telephone numbers, Social Security numbers, and birthdates
Breach Description:
A man in Oregon requested a transcript of his tax history from the IRS and was surprised to find that he received detailed tax information about 18 other United States taxpayers in addition to his own.
Reference URL:
Northwest NewsChannel 8 (kgw.com)
Report Credit:
Wayne Havrelly, kgw.com
Response:
From the source cited above:
The envelope from the IRS was scribbled out by hand.
He was expecting a transcript of his tax history, which he requested. Along with his tax history, he received detailed tax information about 18 other people!
It included pages of information with sensitive information like social security numbers, birthdates, addresses, phone numbers, even salary information.
Congressman David Wu looked at the information and said, “It looked like someone just went into the back room, photocopied a bunch of documents and scrawled out an envelope and put it in the mail and sent it.
Congressman Wu said it's a careless breach of personal information.
[Comfyllama] Absolutely! I like how Congressman Wu took the time to comment.
Unit 8 contacted several of the 18 people who had their personal information released. None of them had heard about he situation from the IRS.
[Comfyllama] "Unit 8" is the news organization that reported this breach. 18 people have had their personal information compromised (in this breach) and they have to find out through a news reporter. Disturbing.
So what did the IRS tell Congressman Wu about the situation?
“That they looked into it, that their privacy policies prevent them from telling us the results of their internal investigation,” Wu said.
[Comfyllama] What a joke. Their "privacy policies" state that they cannot share any details of their internal investigation?! What do the "privacy policies" state about sending personal information in the mail without regard to security?
An IRS official told me all unauthorized disclosure of taxpayer information is thoroughly investigated.
[Comfyllama] Yeah you dumb taxpayer, just trust them.
Now for the IRS’s take on that handwritten envelope. The IRS says it's not unusual. Sometimes addresses are printed, sometimes they are handwritten.
[Comfyllama] Sometimes they send information to the right people, sometimes they secure your personal information, and sometimes they don't do either.
Victim Comments:
“I thought that looked very strange, not like something from the IRS,”
“I was outraged, I just couldn't say anything for a while.”
“I have an idea that whoever did this made a major mistake and i hope at the very least they're instructed that you won't do it again,
Commentary:
I always feel helpless when I think about the IRS. The IRS seems so aloof and unaccountable. The IRS should be accountable for their actions and their data security procedures should be open to public scrutiny. There is no security in obscurity.
Organizations would do well to not send personal information in the mail. Criminals going through mailboxes is becoming more and more common.
Past Breaches:
Unknown
Posted by Evan Francen at 11/26/2007 9:03 AM 
Categories: Poor Business Practice, Mailing Error, Internal Revenue Service
Categories: Poor Business Practice, Mailing Error, Internal Revenue Service
Posts Atom 1.0
Comments