In the last year, high-profile data breaches have hit numerous health centers, retailers and agencies. These hacks highlighted the need for more access control, higher data security budgets and, in general, a more focused approach to data center security. Until such measures were taken, some admonished, these breaches would continue and ordinary people would be at risk of losing valuable information like bank account PINs and Social Security numbers.
Unfortunately, there are still plenty of holes. On Tuesday, May 26, the Internal Revenue Service released a statement saying 104,000 taxpayers' accounts were compromised, according to The Washington Post. Hackers made off with individuals' tax returns from this past spring by infiltrating their past tax filings. By manipulating an IRS system called "Get Transcript," cyberthieves gained access to prior tax returns and used that information to fraudulently file new returns.
To bypass IRS security protocols, these hackers must have already had some restricted information, according to IRS Commissioner John Koskinen.
"A hack of this magnitude indicates a failure at some level or another."
"[O]ur criminals already had to have personal identifiers available and personal information for each taxpayer," Koskinen said in a press conference. "We're confident that these are not amateurs but organized crime syndicates that not only we, but others in the financial industry are dealing with."
Industries work to defend against damaging breaches
This wasn't the first time the IRS demonstrated some frailty when it comes to digital security. Suspicious tax filings increased this year, though Koskinen said the two were not related. Still, the IRS is an organization with a high degree of access to the public's most valuable financial information. As such, a hack of this magnitude indicates a failure at some level or another.
One of these techniques could be as simple as addressing shortcomings highlighted by government audits. According to USA Today, federal audits of the IRS that took place from 2007 to 2014 repeatedly found potential security risks, including hiring ex-convicts without a background check and neglecting to vet employees with access to sensitive information.
"Collectively, these databases failed 30 percent of our tests," one government audit assessed in October 2014. "Exploitation of the vulnerabilities found could result in unauthorized accesses to taxpayer information and ultimately result in identity theft or fraud."
A number of data centers were able to demonstrate full compliance with recent audits, according to a press release from 365 Data Centers, one of the largest colocation facilities in the U.S. All 16 of 365's facilities passed inspection for industry standards by HIPAA, PCI, ISAE 3402, SSAE 16 and SOC 2.
"Certifying compliance across all facilities is a significant accomplishment and an uncommon feat these days," said Scott G. Price, managing director for independent auditor A-lign.
By passing these inspections or resolving the issues they might reveal, organizations can better protect their clients' information.
Biometric security can restrict access
Untrustworthy employees can be the entry point for large-scale hacking operations, so organizations must be sure to hire the right people. Fortunately, there are other ways to reduce the risk of insiders working with malicious hackers.
First and foremost, institutions like the IRS must only hire those with clean backgrounds and no risk of leaking information. Still, even those methods may fall short of identifying every potential criminal. These companies cannot deny employment unless there is grounds to do so.
Instead, the IRS and other organizations can leverage biometric access control to limit who can use certain rooms, server cabinets and other entry ways. This technology requires a piece of physical identification, via fingerprint reader, iris scanner or other system, to gain access. Rather than having a keycard or PIN, trusted individuals use their own fingerprints as the key.
Additionally, these methods can allow the center to track when, where and by whom a given access point was used. This information can provide insight on any suspicious activity, as well as provide an audit trail for federal inspections.
The best of these systems require two separate physical IDs to gain access, provided simultaneously. That means anyone who sought to infiltrate a server cabinet protected by such a technology would need an accomplice with an equal or higher level of security access. So far, none of these systems have been breached.
By working with biometric technology and remedying the shortcomings audits reveal, the IRS and other large organizations can be safe havens for their clients' information and identities.