States contend with increasingly common data breaches

Last spring, digitalguardian.com posted the following list of the 10 biggest data breaches impacting federal and state governments in the U.S.:

  1. U.S. Voter Database: 191 million affected (December 2015)
  2. National Archives and Records Administration (NARA): 76 million affected (October 2009)
  3. U.S. Department of Veteran Affairs: 26.5 million affected (May 2006)
  4. U.S. Office of Personnel Management (OPM): 21.5 million affected (June 2015)
  5. Virginia Department of Health Professions: 8.3 million affected (May 2009)
  6. Office of the Texas Attorney General: 6.5 million affected (April 2012)
  7. Georgia Secretary of State Office: 6.2 million affected (November 2015)
  8. Tricare: 4.9 million affected (September 2011)
  9. South Carolina Department of Revenue: 3.6 million affected (October 2012)
  10. State of Texas: 3.5 million affected (April 2011)

Digitalguardian included a few details about the state breaches:

  • In Texas, where the breach involved Social Security numbers, dates of birth, and driver’s license numbers, the Comptroller’s Office confessed that it had “inadvertently kept the sensitive information on a publicly accessible state server.”
  • Hackers attacked the database in South Carolina, exposing 3.6 million Social Security numbers and 387,000 taxpayers’ credit and debit card numbers. The state had encrypted most of the credit card numbers but not the other information.
  • Similarly in Virginia, a hacker breached a Virginia government health website used by state pharmacists and stole the personal information of 8.3 million Virginians. This hacker later taunted the government and FBI, demanding $10 million for the safe return of the information, which included patient records and prescriptions.
  • In Georgia, the private information of 6.2 million voters, including Social Security numbers, had been accidentally included in a State Download File, which was sent to at least 12 groups. The leak, nicknamed #PeachBreach, was later blamed on a systems programmer.

More recently, between Aug. 7, 2017 and Jan. 23, 2018, the Massachusetts Department of Revenue inadvertently enabled the viewing of private data from 16,500 business taxpayers, reported the Boston Globe last month. The data at issue consisted of business names, federal employer identification numbers, tax payments and other information, but not individual employee information, like Social Security numbers or wage data.

According to the Globe’s report, the problem stemmed from technical changes that the department made to the portal, which were intended to make it easier to answer businesses’ questions about withholding. The changes allowed the agents to view bulk file data sent through the MassTaxConnect portal, but instead made it possible for any of the 38 payroll companies using the portal to look at others’ data. Although the Department of Revenue fixed the mistake within 24 hours of learning about it, it did not notify the payroll companies until Feb. 9, 2018.

As it turns out, this breach was twice as large as originally thought, revealed USNews on Feb. 22, 2018, almost two weeks after the Department of Revenue came clean; it actually exposed private information from about 39,000 business taxpayers.

Even so, the Boston Globe piece quoted a Department spokeswoman who promised that it had “taken steps to correct this technical issue and will continue to take all precautions necessary to ensure reporting data is securely managed throughout this tax season.” To this end, on Feb. 12, 2018, the Department posted a press release alerting users that its “new opt-in fraud prevention program” is now available. The extent of this program appears to be encouraging taxpayers to “file their returns electronically.”

Other states’ measures

At least one other state has established procedures that one hopes are more robust. In Ohio, the Department of Taxation (ODT), “committed to safeguarding taxpayer dollars by increasing security measures,” had deployed an identity confirmation quiz, “just one of the tools ODT is using to prevent fraudsters from receiving a refund as a result of identity theft.”

The ODT sends out these quizzes, apparently randomly, before it finishes processing a taxpayer’s return. Once the taxpayer confirms his identity, by providing:

  1. The reference number from the quiz letter.
  2. The authorization code from the quiz letter.
  3. The requested refund amount, the ODT will continue its processing.

The ODT website also provides a link for quiz letter recipients who did not submit a tax return so they can report the return as suspect.

A presentation at the Ohio Tax Conference in January of 2017 described its tax fraud prevention efforts, which have “[b]locked more than a $1/2 billion in attempted theft of income tax refunds since June 2014.” In 2015, 1.8 million taxpayers took the above-described quiz. In 2016, that number was 712,000, and 99.5 percent of taxpayers passed it.

The passage rate is relevant because it was not long ago that too many taxpayers were flunking the quiz. In January 2016, the Dayton Daily News reported that 10 percent of users could not pass; they had just 10 minutes to answer tricky questions about previous marriages, homes or vehicles purchased “years and years ago.” ODT tweaked it by eliminating confusing questions, and those that sought overly personal details.

Michigan, like Ohio, asks selected taxpayers to take a quiz to confirm their identity. During last year’s tax season, the state’s Department of Treasury divulged that “[f]or the 2015 tax year, over 33,000 returns were stopped, preventing more than $70 million in potentially fraudulent refunds from being issued by the state of Michigan.”
+