IRS Data Heist: Case Study of an Insider Threat and How to Prevent One in Your Organization

Posted October 24, 2023

A recent court ruling revealed how an IRS contractor was able to leak sensitive financial records of high-profile figures in 2021 through an elaborate insider attack. In October 2021, an IRS contractor leaked tax returns and sensitive financial records of thousands of wealthy individuals including Jeff Bezos and Elon Musk to the press. This brazen insider data breach provides a timely case study on how trusted insiders can exploit security vulnerabilities for their own motives. While the IRS contractor took extreme measures, their methods highlight tactics that insiders could potentially use in any organization. For IT leaders, this incident reveals valuable lessons on shoring up defenses against insider threats.

Common Tactics Used in Insider Threats

Insiders often take advantage of their privileged access and knowledge of internal systems to obtain and leak confidential data. Some of the most common tactics include:

Using personal devices and accounts to circumvent security controls on corporate systems.
Exploiting weak cybersecurity policies, training, and internal access controls.
Leveraging virtual machines and external websites to conceal suspicious activity from detection.

According to Verizon’s 2020 Data Breach Investigations Report, insider threats were involved in nearly 20% of breaches.

Case Study: The IRS Data Breach

The IRS contractor demonstrates how far insider threats will go. To bypass security protocols, they used their personal email, phone, and computers to search databases, download returns, and exfiltrate sensitive documents. The contractor also exploited poor training and auditing of access controls.

To avoid detection, they set up anonymous virtual machines detached from IRS systems. An anonymous Twitter account and Russian servers were used to eventually publish the private records. The boldness of these techniques highlights the importance of multifaceted controls to monitor, restrict, and detect unauthorized insider activity.

Applying Lessons Learned to Any Organization

While few insiders will go to this level of deception, the IRS breach illuminates several areas organizations can target to strengthen insider threat defenses:

Implement secure BYOD policies and remote access controls.
Limit access to sensitive data and implement robust monitoring.
Detect unauthorized external transfers and suspicious online activity.
Foster a culture of security through awareness training.

Technical controls are crucial but not the endgame. Organizations also need to:

Understand insider motivations like greed, ideology, coercion, or disgruntlement.
Cultivate ethical norms and ongoing security conversations.
Screen personnel and limit excessive access privileges.

Proactive Protection Against Insider Threats

With vigilance and a layered strategy, organizations can stay ahead of the insider threat:

Combine rigorous IT controls like SIEM, DLP, and UEBA to detect anomalies.
Make cybersecurity awareness learning mandatory at all levels.
Develop an insider threat prevention framework tailored to your risk landscape.
Implement zero-trust security

Key Takeaways

The IRS story provides a glimpse of how far insider threats may go. While extreme, the contractor’s techniques highlight the importance of comprehensive controls and culture to harden security from the inside out. IT leaders have an essential role in implementing multilayered protections focused on prevention. With proactive insider threat defense, organizations can protect their most sensitive data.

For example, insider breaches at companies like Uber, Tesla, and Twitter have impacted market capitalizations, investor trust, brand reputation, and customer retention. Healthcare organizations have faced stiff HIPAA fines after beaches disclosed protected records. The potential business impacts underscore why IT must make insider threat protection a priority for any organization handling sensitive data. With proactivity and vigilance, companies can develop robust frameworks to detect and neutralize insider threats before data ends up in the wrong hands.

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.