'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS

An anonymous reader quotes a report from The Hill: The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a "significant" number of the victims already had their information stolen by cyber criminals. "We actually think that it won't make any significantly or noticeable difference," Koskinen told reporters during a briefing on the agency's data security efforts. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals." The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers. "It's an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information," Koskinen said of the breach on Tuesday, in response to a reporter's question. The IRS commissioner advised Americans to "assume" their data is already in the hands of criminals and "act accordingly."

Re:

[MoarSauce123]

Especially since the IRS signed and then temporarily (!!!) suspended a multimillion Dollar contract with Equifucks. When does the government start protecting its residents from crime and evil? Why is Equifucks still in business? Close that shop down and throw the managers in jail.

Re:

[gtall]

Yes, throw the buggers in jail. Now please explain precisely under which law we will do this?

It doesn't matter that your information is stolen

[Arzaboa]

...cuz it's already been stolen. These are the same guys that tax civil forfeiture.

--
"Throw all the tea over!" -- Ben Franklin

Re: It doesn't matter that your information is sto

[Anonymous Coward]

I don't know about most of you but I've shared most my information on a very limited need to know basis. It's extremely unlikely most of my information was stolen prior to this idiotic event. Sure, some companies had some mailing addresses and credit card numbers but very few had everything together or my SSN. Now these idiots handed a consolidated version of it over and as usual there's no real repercussions. When will citizens of this country finally get upset enough to take action against this garbage an

They are not idiots. It's intentional.

[Anonymous Coward]

1 - allow all that personal info used to authenticate you to be stolen.

2 - everyone's tax returns get stolen (likely by intelligence agencies to fill their black fund pools).

3 - solve the problem with a universal chip-based token system (some smart card) for use with all government activities

4 - expand that to solve other identification "problems"

5 - replace cash with a government account linked to your universal ID

etc. etc. etc.

It always starts with the fear.

You are no longer ...

[PPH]

... a virgin. So a bit of rape won't really matter.

Just hold still.

U.S. Government says: "We Give Up!"

[RumGunner]

When asked for clarification, they responded "Everything is screwed anyways, so who cares!"

Re:U.S. Government says: "We Give Up!"

[whoever57]

Don't worry, there are posters here who will find a way to blame the breach on "government" and continue to claim that governments can do nothing right, while applauding big companies for whatever they do, good or bad.

Re:

[gtall]

I too get a bit irritated about the "government" talk. When some one commits murder, do we say his/her family committed the murder? No, and the government is not some monolithic entity, it has many moving parts. The reason is because that's what Americans have demanded government do, and what companies have managed to sneak in to government functions. The Reagan push to "privatize" government made the problem worse.

Re:

[phalse phace]

FUD... It was given BEFORE and revoked AFTER.

It hasn't been revoked. It's been temporarily suspended.

IRS puts Equifax contract on hold during security review [reuters.com]

NEW YORK (Reuters) - The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Re:

[HiThere]

Wasn't that after the second (or was it third?) breach. The feds just ignored the first one (that was kept secret for months).

Re:

[AtariEric]

I translated this as: "We give up - every person for themselves!"

So... what?

[Anonymous Coward]

Does it make it suddenly better.. or more OK.. that there were multiple companies that were so lax in security to release information to the bad guys? Is this an attempt at an "out" for Equifax? Can the IRS provide unequivocal facts proving that the Equifax breach had a "significant" overlap with previous breaches?

I mean come on. The IRS just nuked Equifax's contract is this supposed to make them feel a little bit better?

There is no "acceptable" release of information from a security breach.

Re: Why can't we have a flat tax?

[easyTree]

Because.... Accountants don't want that and their progression has leverage?

Did I win?

Re: Why can't we have a flat tax?

[easyTree]

Progression ->Profession

Re: Why can't we have a flat tax?

[Zero__Kelvin]

Seg Fault

Re:

[easyTree]

The system we have is great. It is so complicated that only the worthy may escape the maze.

Re:

[Eravnrekaree]

Most of the paperwork seems to be in documenting income and determining what counts as income, and all of the deductions. Going to 3 or 1 bracket does not reduce the amount of paperwork by much, since its not the source of most of the complexity.

Re:

[HiThere]

So the answer is to get rid of the deductions.

Personally, I don't favor a flat tax, but rather a linear tax with an offset as well as a flat tax rate, but that *is* a bit more complex.

Re:

[king neckbeard]

What makes the tax code complicated is not the tax brackets. That's a simple spreadsheet. What makes it complicated is the number of exceptions, which allow Warren Buffet to effectively pay a lower tax rate than his secretary. You can simplify the tax code without going to a flat tax, and a flat tax doesn't inherently mean that the exceptions have been removed.

Or, maybe we can allow a flat tax only under certain eligibility conditions: No government contracts or subsidies, no lobbying, and none of eit

Re:

[Neuronwelder]

I liked your first 2 lines very much.. But flat taxes - I'm not so sure.

Re:Why can't we have a flat tax?

[BronsCon]

I'm not sure how you think that would work long-term. Perhaps I'm missing something but...

If you're proposing that the government is only allowed to collect taxes (a percentage of the total paid) on money they've paid out directly, it seems to me that they'd necessarily run out of money in short order. Unless, of course, you think the government firing up the presses every time an expense comes up is actually a good thing?

Re:

[king neckbeard]

My point was to eliminate the hypocrisy of say, Raytheon, getting tax cuts under a vague "taxation is theft" or "small government" mantra. If taxation is theft, then their profits were built upon theft., and thus, at least partially invalid.

Re:

[cyberchondriac]

Except a lot of criminals either have no real jobs or won't pay taxes. When's the last a drug dealer paid taxes on his business dealings, or the mob didn't cook the crap out of their books?

Seriously?

[easyTree]

That's the best they can do?

REGULATIONS require broken encryption (Obama)

[raymorris]

The "REGULATIONS" I had to follow on government-sponsored projects *required* we use outdated, thoroughly broken suckerity, such as MD5. It takes less than one second to break MD5. We're not allowed to use effective algorithms such as SHA256, we must use the completely broken MD5. These regulations were of course promulgated by the Obama administration.

I would LOVE it if information security could be fixed by regulation. I'd love it even more if it could be fixed by whining about the other team. Sadly,

Re:

[gtall]

"information security to be fixed by regulation". How would that work, exactly. You admitted you cannot tie it to prevailing technology because advances can make the technology obsolete. If you write something more blanket like, "Thou shalt not allow any information not entirely yours to leak" creates a Swiss cheese of a law which ambulance chasing lawyers will drive trucks through. And it would be so draconian that there is no hysteresis in the system of law governing information, that opens holes up just

Re:

[suutar]

I think his point is that it wouldn't work. He wishes it would, but this is reality, and by implication in reality it doesn't.

Quite a statement

[markdavis]

>"'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS"

Then what would the IRS have possibly gained by trying to use Equifax's services to help prevent fraud?

Or perhaps this is code for "don't look at the man behind the curtain" or "oh, don't worry, we got ya covered anyway" or "see, none of this really mattered anyway, so let's not talk about security or misuse of the SSN as a universal ID number anymore." So many possibilities. Yeesh

...And do what?

[TiggertheMad]

"assume" their data is already in the hands of criminals and "act accordingly."

...And do what exactly? Burn our current identity and get a new one out of the bag that we have hidden in a locker at the bus station? Whee, I am now Raoul Yankinov now, bricklayer from New Jersey!

If the government is going to hoard PI and not defend it with ICE and brutal cyber crime laws, they better come up with a better fucking plan 'b' for when they worked over by everyone on the Internet who can write a script.

Re:

[aaarrrgggh]

Well, previous advice was to "file early."

Not that you can file faster than a bot polling from your payroll data...

It's Equifax's job to attack your privacy

[aberglas]

That is what they do. And sell the information to anyone who'll pay.

And the people of America think that is a good idea.

The data leaks just mean that some people are getting the data for free.

Re:

[Neuronwelder]

Earwaxes response: Whahh!! I don't want to spend the money on security. I want to keep it. Whahh!!

Re:

[aberglas]

No other western country allows this (that I am aware of). This is purely a US thing, and really surprised me when I lived there for a while.

Re:

[gtall]

The people of American never go to vote on whether someone collecting and creating honey pots for criminals and "product" to sell regarding information. Government cannot be expected to be immediately on top of every stupid thing companies do. The right claims too much government interference (as long as it doesn't involve religion what whatever Trump is wanking off on these days), the left wants an authoritarian dictatorship which will punish every micro-aggression which they get to define.

Anthem, Yahoo!, and others.

[Anonymous Coward]

I have been part of the Anthem, Yahoo!, Equifax, and few other data breaches.

Getting the "Your data has been stolen and we're giving you free identity protection" letters has become routine for me.

THEN I call the 800 number on my credit report and I get some foreigner. When I ask where are they, I get "We cannot disclose that for security reasons." bullshit.

So, _I_ have to disclose all my personal data to someone in some god knows where country to get customer service and _I_, the customer, cannot know tha

How do you stop them?

[spaceman375]

Three times in the last few months I've found that some company I once bought an item or service from has kept my credit card details "on file" just in case I fail to pay for subsequent purchases. They never asked permission, which would have been denied, but how can I stop them? I told each of them that single action has resulted in my never doing business with them again. These are businesses that have only a few employees, no chance of an IT person, let alone an actual security policy nor any idea what "

Re:

[ShanghaiBill]

There really should be big fines on this sort of irresponsible collection of sensitive data.

This would have an unintended consequence of giving companies an even greater incentive to cover up security breaches. They only have to pay the fine if they get caught.

Re:

[drinkypoo]

There really should be big fines on this sort of irresponsible collection of sensitive data.

This would have an unintended consequence of giving companies an even greater incentive to cover up security breaches. They only have to pay the fine if they get caught.

Make the fine ten times larger if they don't come forth in a timely fashion and admit it themselves. Hand 1/10 of the fine to the whistleblower.

Re:

[currently_awake]

Use Visa gift cards for online purchases. Even with the refillable ones the cost of trashing one and getting another is very low.

It's all stolen BUT GO AHEAD & TRUST IT ANYWAY

[gavron]

The IRS knows that half that US taxpayers just got hacked, and 1/3 were already hacked. What are they doing to avoid giving refunds to the wrong parties? What are they doing to establish a new secure authentication/identification system that hasn't been hacked? What are they doing in any way, shape, or form?

The answer to all these is NOTHING.

The IRS has the responsibility of collecting operating funds for the largest most affluent government in the world... and instead of securing their clients, securing

Re:It's all stolen BUT GO AHEAD & TRUST IT ANY

[BronsCon]

Is there any part of this Administration that can sink any lower?

This can't be the first time you've asked that. Have you not learned that they're more than happy to answer? PLEASE, stop asking!

Re:

[ffreeloader]

You have a very odd idea as to what being "affluent" is. The Federal government owes more than $225 trillion which includes $205 trillion in unfunded liabilities that Congress has unconstituionally spent without making any provision to pay.

It seems you think debt == affluence, and the more debt you have the richer you are.

The US is bankrupt. If the government lowered spending enough to start paying off what we owe at $1 trillion a year it would take more than 2 centuries to get us out of debt, even if we

Re:

[Dutch Gun]

I generally agree with your sentiment, but your individual debt figure is off by over an order of magnitude. The debt per citizen is a bit over $62K, while the debt per taxpayer is over $168K.

Source: http://www.usdebtclock.org/ [usdebtclock.org]

Also, I'm not sure how you figure deficit spending is "unconstitutional". The US does not have a balance budget amendment.

Re:

[gtall]

In order for the IRS to create a new secure/authentication system, they need a bill passed in Congress and signed by What's-His-Name telling them to do this. More importantly, they need an yearly appropriation for x years giving them the money to do this. This should take what, a couple-O-weeks on your time scale?

An alternative to producing said system in house, which I might add would require staffing and buying machines to produce said system, is to turn the effort over to private industry...presuming the

Re:

[Daetrin]

This is not surprising seeing as the IRS is part of the Administration of He Who Shall Not Be Named Responsible.

I'm actually unsure which administration you're trying to blame for this problem, but the IRS has been around for over a century and a half, there's not really much about it that you can blame on a single administration, or even a single party.

The problem is that we, as a country and quite possibly as a species, just can't math. Or rather we can math, but we then throw it all out the window as soon as emotions get involved.

We've spent trillions of dollars and thousands of lives on wars and military act

Re:

[operagost]

abortion and gay rights and drugs

One of these is not like the others.

Re:

[Daetrin]

Each of them is not like the others.

Re:

[HiThere]

Much as I despise Trump, this is unfair criticism. The IRS has been arrogantly abusive and unresponsive to clear needs for well over a decade...and I'm not sure how much over. It doesn't seem to change when the administration changes.

It's time to start suing creditors for libel

[PeterM from Berkeley]

Let loose the class action lawsuits.

Every time some dumbass creditor loans money out to someone on strength of this stolen information and doesn't get paid, but turns around and trashes the person identified by the information, sue the creditor.

I know that if I were on a jury I'd be like, "You idiot creditor. You didn't get repaid because you didn't bother to really verify the identity of the person you gave money to. And then you think you're justified in trashing this innocent person's reputation? Well, I feel justified in handing that innocent person a LARGE payment for damages. Yeah, I think $1M ought to cover it."

Re:

[HiThere]

Everything you say is true, and I'd still be tempted to vote to find the creditor guilty.

Re:

[Opportunist]

The SSN isn't that big a problem. The problem is that for some odd reason it's not used for identification but for authorization.

THAT is the essential problem here.

Imagine a police officer saying this

[Opportunist]

You, in your vandalized home after someone broke into it and went through your stuff, and the police officer saying "Hey, ain't that bad, after all, didn't you have someone break in before? You should be used to it by now!"

What do you get for making an officer eat his badge?

Re:

[account_deleted]

Comment removed based on user account deletion

Closing the barn door after the horse has left

[Rick Schumann]

Subject line says it all. I'm not even going to be bothered to do a gods-be-damned thing unless I see my identity has been stolen or my bank account has been affected because it's already too gods-be-damned late to do anything about it anyway, and thanks so FUCKING MUCH for that, Equifax, YOU HAD ONE JOB AND YOU FUCKED IT ALL UP!

Identity and privacy should be separate issues

[trenobus]

Unfortunately our usual method for ascertaining identity is based on an assumption of privacy of certain personal information. The loss of privacy represented by this breach is certainly something deserving of our outrage. But all that justifiable outrage is dwarfed by the implications of no longer having a reliable way to establish identity in a mobile and technological society. While there is still time before the stolen information is widely disseminated, we need to use the doomed current system to boots

Let's make it all public

[fropenn]

Let's make all social security numbers, birth dates, and addresses public. That way the financial companies will have to find a better way of verifying the identify of people before it gives them access to large sums of money.