in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

California Accountants Hacked To File Fraudulent Tax Returns

Time has shown that all types of businesses are targets for hacking. The big ones, because they have money. The small and medium-sized businesses, because they have money, although less of it than big enterprises. Stories of phishing or hacking into computers that host electronic banking activities have popped up in the news frequently.

Here's a new twist: According to databreaches.net, a CPA firm in California has filed a data breach notice with the authorities, reporting that it was hacked and that fraudulent tax returns were filed for over 40 of its clients. There is some ambiguity surrounding the situation, as it could be read as (a) hackers stealing the CPA's client data and filing tax returns online, using the hackers' own computers or (b) hackers filing the returns using the CPA's own computers, which would be quite novel.

The latter interpretation is quite far-fetched, I admit, because the prior makes much more sense. Hackers tend to hit fast and exit a breached network even faster. On the other hand, hackers "lounging around" is not unheard of. Small businesses have run into problems because sizable wire transfers were initiated from their own computers (that is, hackers remotely operated these devices); the banks, in turn, accepted these transfers as legal transactions specifically because it came from a trusted computer.

If I recall correctly, the IRS also accepts certain filings as non-fraudulent over others because they come from a trusted source such as a well-known tax preparation firm, for example. All the more reason for hackers to target such firms, especially small ones that usually don't spend as much on data security, if looking to avoid the IRS's scrutiny. With limited funds, it makes sense for an organization to focus less where the chances of fraud are low.

The Weakest Link

This case is a classic illustration of how the weakest chain in the link will be targeted when it comes to security. The IRS has taken quite a bit of flak in recent years because of their seeming inability to stop (or even significantly stem) fraudulent tax returns. Some experts blamed the IRS for not having enough security on their site. Others blamed the IRS's seeming lack of proper security checks in its operations.

However, even if the IRS were to completely eliminate any security weaknesses, the above case shows that there's still other ways to successfully file fraudulent returns. For example, the hackers had access to the following data:

[For individuals] this information may have included their name, gender, birth date, telephone number(s), address, social security number, all employment (W-2) information, 1099 information, direct deposit bank account information including account number and routing information (if provided to them), and supporting documentation including brokerage statements and other documents you may have provided to [the CPAs].
Even if the IRS were to receive perfect marks when it comes to the technical aspects of data security, it would be unable to fight off fraud if criminals have access to detailed information that we normally associate with the true "owners" of said data. How is any organization supposed to tell apart the impostor from the real person if they can both present the same information?

Small is not Secure

Practicing data security at all levels is the only way to turn the tide. If you're a small business that deals with extremely sensitive information, it behooves you – by law as well as ethics – to ensure that your security is up to par. Some – nay, many – small businesses think that their relative size is protection, that it's the whales that get harpooned while they go unnoticed.

Howver, being small fish affords protection only if predators cannot find you; but in the world of business, if people can't find you, that's a death knell for your business. Are you listed anywhere on the internet? Is your business associated with certain keywords that reflect the industry you're in? Do you use any form of electronic communication that's known to be a vector for hacking, like email or using a browser for visiting a website? If the answers to these questions are "yes," then you're "harpoon-able" no matter what your size.

 

Related Articles and Sites:

https://www.databreaches.net/california-cpa-firm-hacked-to-file-fraudulent-returns/ https://oag.ca.gov/ecrime/databreach/reports/sb24-63840

 
<Previous Next>

Discontinued TrueCrypt Full Disk Encryption Shows Vulnerabilities

Cloud Services: Will It Be There When You Need It?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.