Shostack + Friends Blog Archive


DSW, IRS Security Failures

What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed.

In other news, the General Accounting Office reports

[The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition to the remaining 21 previously reported weaknesses for which IRS has not completed actions, 39 newly identified information security control weaknesses impair IRS’s ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data and FinCEN’s Bank Secrecy Act data.

Andy Sullivan has some good analysis at Computerworld. We don’t yet know of any breaches at the IRS, but that doesn’t mean there haven’t been any. It seems that California’s SB 1386 covers “any agency.” I don’t see why the Federal Government would be exempted from that, any more than they’re exempted, from say, local noise ordinances. But the IRS is legendary for their willingness to ignore the law, so it could be that they’re illegally concealing information that the law in California requires them to disclose.