Eide Bailly’s Forensics & Security Incident Response Team was recently involved in the investigation of unauthorized access to a client’s computer system. The access allowed the suspects to obtain employee personal information that was used to file false tax returns in order to receive refunds. The victims typically don’t know they have been a victim of identity theft until after they file their return and the IRS flags the legitimate return.
This is not a typical hacking situation. Based on our investigation, it appears there may be a link to our client’s third-party vender who was responsible for archiving employee tax information. Several companies that have reported the identity theft were using the same third-party vender. In addition, the password scheme option offered by the vender was not robust.
Protect Your Data and People
Hacking incidents like this are a reminder that your business should be regularly reviewing best practices to protect your employee and customer information.
Passwords - First, account authentication usernames and passwords should not include any personal identification information such as date of birth or Social Security numbers. Passwords should be a minimum of eight characters in length and should not be a dictionary word or proper name. Systems should not allow user names and passwords to be the same. Passwords should be a combination of letters, numbers, characters, and capitalization. Passwords should be required to be changed every 90 days. Companies should make this the minimum standard policy for their network and insist that it is the standard for all third-party venders that handle sensitive company information. In case of a security incident, policies should require password changes as soon as possible.
Security Questions - Security questions should be eclectic. Locating answers on the Internet about someone’s favorite sport, number of children, and other bits and bytes of information is readily available through social media and free or paid databases.
Cell Phones – You should have a policy for minimum requirements for cellular phones accessing the network. All updates and patches should be current. Apply local authentication and advanced authentications for the device. Require anti-virus software and employ a personal firewall. Erase cached information routinely.
Logging Incidents - If a security incident is detected, minimum information should include the time and date of the incident, location of the incident, what systems were affected, how it was detected, the type of incident, description of incident, and what actions were taken to resolve the matter. Contact information for an appropriate response team should be readily available.
If You Are a Victim
If you feel that your personal information has been stolen and is being used, here are some things you should consider doing right away.
- Contact the IRS to find out if a fraudulent tax return has been filed in your name. If there is fraud activity with the IRS, then you will have to fill out an Identity Theft Affidavit through the IRS and report your Social Security number has been compromised with the Social Security Administration.
- Put a fraud alert on your credit report with the three credit reporting agencies; Experian, Equifax, and TransUnion. As an additional precaution for increased security, you can place a security freeze on each of your credit reports that prevents any new access to your credit reports. However; this could make it more difficult for you to conduct normal credit business transactions yourself.
- The Federal Trade Commission (FTC) will allow you to file a complaint to report identity theft either online or through a hotline to call. Their website also contains additional information and resources to assist you getting your identity repaired and secured.
Examine Third-Party Relationships
Remember, while your IT systems may be secure, failure to ensure that third-party venders/contractors that deal with your information also have sufficient security in place can directly affect your customers, employees, and faith in your company. If you have questions about tax fraud, identity theft schemes, or the recommendations contained within this update, Eide Bailly’s forensics professionals are available to address your concerns. If you become a victim of a tax fraud or identity theft scheme, we have the resources to help you further investigate the matter and/or establish a criminal referral at the local, state and federal levels.