IRS Reducing Size Of Cybersecurity Staff

The Internal Revenue Service, which confirmed rumors of a breach of 100,000 taxpayer accounts, has been consistently reducing the size of its internal cybersecurity staff as it increases its security spending. This may seem paradoxical, but one observer suggested it could signal a shift to outsourcing.

In 2011, the IRS employed 410 people in its cybersecurity organization, but by 2014 the headcount had fallen by 11% to 363 people, according to annual reports about IRS information technology spending by the U.S. Treasury Department Inspector General.

Despite this staff reduction, the IRS has increased spending in its cybersecurity organization. In 2012, the IRS earmarked $129 million for cybersecurity, which rose to $141.5 million last year, an increase of approximately 9.7%.

This increase in spending, coupled with the reduction in headcount, is an indicator of outsourcing, said Alan Paller, director of research at the SANS Institute. Paller sees risks in that strategy.

“Each organization moves at a different pace toward a point at which they have outsourced so much that the insiders do little more than manage contracts, and lose their technical expertise and ability to manage technical contractors effectively,” said Paller.

An IRS spokesman was not able to immediately answer questions about the IRS’s cybersecurity spending.

This breach is drawing congressional scrutiny. On Tuesday, U.S. Senator Orrin Hatch (R-Utah), who heads the Senate Finance Committee, called the breach “unacceptable.”

The IRS’s total IT budget in 2014 was $2.5 billion, an increase from the prior year’s $2.3 billion, with 7,339 employees last year, little change from 7,303 reported in 2013.

The agency’s IT budget has fared better than the agency overall. Congress has been cutting spending at the agency. IRS funding has been reduced by $1.2 billion over the last five years, from $12.1 billion in 2010 to $10.9 billion this year. An IRS official told lawmakers earlier this year that the budget cuts have delayed critical IT investments of more than $200 million, which includes replacing aging IT systems.

Source

Medical Data Becoming Valuable To Hackers

The personal information stored in health care records fetches increasingly impressive sums on underground markets, making any company that stores such data a very attractive target for attackers.

“Hackers will go after anyone with health care information,” said John Pescatore, director of emerging security trends at the SANS Institute, adding that in recent years hackers have increasingly set their sights on EHRs (electronic health records).

With medical data, “there’s a bunch of ways you can turn that into cash,” he said. For example, Social Security numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures.

This could explain why attackers have recently targeted U.S. health insurance providers. Last Tuesday, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed in a hack that was discovered in January. Last month, Anthem, another health insurance provider, said that 78.8 million customer and employee records were accessed in an attack.

Both attacks exposed similar data, including names, Social Security numbers, birth dates, telephone numbers, member identification numbers, email addresses and mailing addresses. In the Premera breach, medical claims information was also accessed.

If the attackers try to monetize this information, the payout could prove lucrative.

Credentials that include Social Security numbers can sell for a couple of hundred dollars since the data’s lifetime is much longer compared to pilfered credit card numbers, said Matt Little, vice president of product development at PKWARE, an encryption software company with clients that include health care providers. Credit card numbers, which go for a few dollars, tend to work only for a handful of days after being reported stolen.

Source