Thursday, April 23, 2009

IRS Playing with Fire

Rubbing salt in the wounds of over 1MM people who had their personal information compromised, the IRS (Internal Revenue Service) has awarded RBS WorldPay a contract to process tax return payments for the 2010 filing season.

The Internal Revenue Service has awarded a contract to process tax return payments for the coming filing season to RBS Worldpay, a company that recently disclosed that a hacker break-in jeopardized financial data on 1.5 million payroll card holders and at least 1.1 million Social Security numbers.
It would seem to me that this is rubbing salt in our wounds.  The article goes on to show how even the government is resting on the laurels of PCI Compliance, in an effort to comprehend (or at least pretend to comprehend) the complexities behind securing private information in the banking/card services sector.
IRS spokesman Anthony Burke said RBS will not be allowed to process credit card payments for taxpayers owing money to Uncle Sam until Jan. 20, 2010. Before that date, he said, RBS will not only have to show that it is once again PCI compliant, but that it also has passed the IRS's own payment security audit.
All I can really say is... yikes.  So are we once again equating passing a "point in time" audit as demonstration of overall good ongoing security?  I know this could spark a disagreement between the two sides in the compliance-based security debate, so I'm going to leave that alone for now. My bigger concern is that the US Government (the same government which has now spent our great-great-grand-children's money) is making some very poor decisions.  There is also a hint of using the IRS's "own payment security audit"... but a browse and search through the website, including their FOIA (Freedom of Information Act) reading room, shows zero documents or disclosures relating to this audit process...  In a government which is re-inventing itself as more transparent... this type of information would be nice to have.

This quote caught my attention immediately, as it hints at a 3rd party "verifier" of security; running a "series of tests" which I can only guess is a functional testing cycle rather than a security "vulnerability test"?
"All service providers must undergo system acceptability testing," Burke said. "We have a third-party who runs a series of tests on all of our providers to make sure their systems are security before they accept credit card payments" on behalf of taxpayers, he said.

In the end, I suspect we the taxpayers will be the ones who pay (literally and figuratively) for the failures of the IRS in managing their processing and payment partners...


Armorguy said...

I'd like to posit an alternative idea...

What company would be safer to use than one who has just been breached?

By that I mean they have just spend untold dollars and man-hours going through their system front-to-back and left-to-right and fixed (one would think) everything. Their senior leadership has been smacked around *hard* and don't want that again.

Could it be that this is actually a good and safe choice?

Rafal Los said...

@Armorguy: You're making an assumption I'm not willing to here - one that indicates that RBS/WorldPay has gone to an extensive effort to "secure" their systems. Post-incident (especially one that massive) a company typically takes one of two routes - they either do everything they can to actually "get secure" to avoid that event in the future, OR they simply try their best to bury that event and focus all energies on that act ... providing no actual security addition. Having been on the inside of one of these incidents at a major fortune 5 company I can tell you that most of the time they DO NOT, as you say, go through their systems front-to-back and "fix everything"...

Anyway - I would rather them go with an entity who has not been publicly flogged for poor security and privacy practice... at least not to as great of an extent.

DanPhilpott said...

I would be surprised if a PCI type compliance audit would be sufficient for the IRS. As a Federal agency they should have written into any contract that the vendor must provide security controls sufficient to satisfy FISMA requirements. While it is unlikely they would be required to go through a full C&A they would have to satisfy the IRS to establish a trusted relationship. With the potential impact of a failure in this system being so high I would expect the security leadership at the IRS to be approaching this system with all due caution.

Especially with PII at stake the IRS would have every reason to ensure that risks were minimized throughout the process. I haven't worked at the IRS but from discussion with employees there the culture is hyperaware of PII issues. This stems in part from Federal requirements but mainly from extensive experience in court cases and FOIA requests. They minimize exposure of PII data so fanatically it would make a paranoid proud.

None of this means that the security won't fail. But it does mean that a manager at the IRS will have accept responsibility for the operation of the system and and decide whether the risk of operation has been effectively managed. With PCI having had a spotty history and some rather visible failures I suspect PCI compliance will not be accepted as sufficient to ensure risks have been effectively managed.

Marlon Baudet said...

Well said DanPhilpott)))))))