Kansas City Loses IRS Tapes

Second in our series of stupid comments to the press, here's Kansas City's assistant city manager commenting on the fact that they lost 26 computer tapes containing personal information:

"It's not a situation that if you had a laptop you could access," Noll said. "You would need some specialized equipment and some specialized knowledge in order to read these tapes."

While you may be concerned the missing tapes contain your personal information, Cindy Richey, a financial planner, said don't be too alarmed.

"I think people might be surprised at how much of that is already floating around out there," Richey said.

Got that? Don't worry because 1) someone would need a tape drive to read those tapes, and 2) your personal information is all over the net anyway.

Posted on January 24, 2007 at 1:04 PM • 25 Comments

Comments

Anonymous CowardJanuary 24, 2007 1:11 PM

Feh.

So, no criminal has a tape drive?
Or perhaps the tapes were in a proprietary format?

The technology has existed for *YEARS* that allows for backup tapes to be encrypted. Will encryption only be used by the NSA, in SSL, and by a few paranoid hackers using GPG?

SaxonJanuary 24, 2007 1:13 PM

After all, the payoff from the fraud you can commit with the financial info of thousands of people isn't enough to cover the cost of a second-hand DLT drive to read it.

YaddaJanuary 24, 2007 1:23 PM

I think if the data was rot13'd they'd say it was unreadable. More likely it's just a tarball on a something-inch tape.

Can we get these people taught a lesson somehow??

jbJanuary 24, 2007 2:38 PM

I think using a big stick and not letting some jackass who's not used to running PR handling the press is a good start for preventing panic.

Of course, that's not likely to happen.

KCMadJanuary 24, 2007 2:51 PM

I work in Kansas City, MO. In fact, I'm in KC as I'm writing this.

Rather than contrition, we get this kind of "don't worry" PR. . .

As far as proprietary, and the IRS, they probably just converted from punch cards last week.

Great, now they'll probably have to raise the 1% earnings tax to pay for all of the security we taxpayers will demand. Damn.

QuercusJanuary 24, 2007 4:40 PM

Well, not a good PR move, but doesn't she kind of have a point? Doesn't Bruce say that the real problem isn't that people can find out your SSN and birthday, it's that banks (& credit card issuers, etc. etc.) are too willing to believe that anyone who knows your name, SSN and birthday is really you.

Not that I'm saying personal information should be given away at any opportunity (I'd support much much stronger data privacy laws in the US), but if your security depends upon nobody knowing your SSN and bank account #, then you're already screwed.

jbJanuary 24, 2007 4:57 PM

@ Quercus:

While it's a crap form of auth, I'm not convinced she should dismiss the danger or potential problem this dataloss presents for citizens. It's not like people have a choice in how their data is being handled.

DaveJanuary 24, 2007 6:37 PM

Stupid, but at least he's honest! It in fact DOES require specialized tape readers, and in fact your information IS all over the net anyway! Loss of tapes that require specialized tape readers is, of course, one of the root causes as to why your information is all over the net... :-(

ThomasJanuary 24, 2007 8:27 PM

@Yadda
"""I think if the data was rot13'd they'd say it was unreadable."""

Well, it _would_ be illegal to reverse-engineer the encryption ...

soothsayerJanuary 24, 2007 8:29 PM

I think the manager was trying not to say that there are a lot of tapes out there with data that no one knows what's in them.

Not that your data is in the web anyways why bother.

I think some readers on this site are pathetic, they want to hang everyone for "mistakes" ALL the time.

Bruce some of this is your doing, you are picking "useless" stories and hyping them to the dotts. You are becoming more of a loss-of-privacy-fear-creatorr-in-chief.

George FujimoriJanuary 24, 2007 9:23 PM

@Soothsayer

OK smart guy, put your data where your mouth is.

I want you to post the following here in the comments section, it's probably representative of the more interesting information on those tapes:

<>Full name
<>SSN
<>Birthdate
<>List of your dependents
<>Primary home address
<>Home phone number
<>Place of employment
<>Employers address
<>Gross annual income
<>Name of your bank
<>Number of your primary bank acct
<>Photo of a pigeon or squirrel in your backyard

In regards to the original article, the IRS should have to pay a fine to every person affected by the breach. That would help mitigate the negative externalities involved in these kinds of situations.

Persona non GrataJanuary 24, 2007 11:03 PM

I'm not worried. Since I am illegal, all of the information about me on the tapes belongs to somebody else...

supersnailJanuary 25, 2007 2:22 AM

@Kevin Davidson

You would also need the proprietary COBOL language to decode the data.

AnonymousJanuary 25, 2007 6:08 AM

It's possible the tape requires something like an IBM 3490 or 3590 tape drive and a mainframe environment to match. The cost of obtaining the appropriate enterprise hardware (and the personnel to run it) could be quite prohibitive.

JohnJJanuary 25, 2007 6:34 AM

@Anonymous - Procuring a 3x90 tape drive with a SCSI attach is pretty straightforward and not really that expensive if you look on the used market. Once you have the drive it's a simple matter to dump the tape contents into a file on your server/workstation.

For that matter, you don't even need the hardware; just send the tapes to a service bureau for conversion to LTO.

Fred F.January 25, 2007 9:10 AM

Of course if she had said that the trade off between securing data that is out there already and just doing nothing when this happens we would still be pissed at her but this is essentially what she said. I think we should be pissed at Congress/Supreme Court/President/Governors/State Assemblies for allowing this situation to happen in the first place, not at a mindless drone too low in the totem pole to really do much.

no nameJanuary 26, 2007 11:08 PM

I have a couple of questions, How many people are included in twenty five tapes?

are either kcmo and the the fed irs actually in trouble? Both should be.

kcmo for losing information and the irs giving information that should be classified. Did the city really need the bank account numbers along with names and social security numbers?

Also, is the irs going to give replacement tapes?

The news stations in kcmo don't even mention this any more. and as far as I know channel four mentioned it but I didn't hear anything about it on 41.

DaveJanuary 27, 2007 7:25 PM

Worse yet: every bank and credit union in the usa must send "bank match" information to an office in Maryland each quarter.

This info includes your name, ssn, account numbers and account balances.

It is usually sent US mail and cannot be encoded. Just plain ascii text on disk or tape readable by any Apple IIe :)

I don't know if it is scarrier that the info is so insecure or that big brother has all your assets in one location under one number. This is (they say) for the purpose of catching deadbeat dads.

epimortumJanuary 28, 2007 10:50 AM

I used to work at the IRS. And one of the main causes I fell for this and other "stupid" actions arise from a HUGELY stupid action. The IRS and other governmental agencies have a tendency to out-source their IT department. The IRS calls it their MITS department. People dealing with information that is that sensitive should IMHO NEVER //NEVER// be out-sourced. This is one of the primary reasons why I left the IRS. Such blatantly unintelligent actions by people in power, and their adamant refusal to listen to reason from anyone lower. No matter how many years they worked there.

Big CharlesJanuary 29, 2007 9:34 AM

"You would also need the proprietary COBOL language to decode the data."

Ah, no. Even recent versions of COBOL don't do encryption natively. If COBOL wrote the data then most likely you are looking at fixed length records. Then only encoding is that the tape might be recorded using EBCDIC rather than ASCII. Such things are dealt with at the hardware or driver level these days.

I'm in Kansas City too. This goenrment needs to be held up to ridicule EVERY time they do something stupid like this. It's a great city with and oversized government.

Just an AnalystJanuary 29, 2007 12:53 PM

Ok .... Every year I produce information for the IRS (1099-misc) and, guess what??? I don't use a tape to send the data .... Get internet access and log onto F.I.R.E. and dump the data to the IRS. OK ... The IRS *DOES NOT* use encryption. Any old tape transport (of the correct format of course) will read the plain-text records. No "specialized" equipment is needed (unless you consider the tape transport as specialized). And, ... you can download the format from the IRS (tech bulletin issued each year), so you don't even need to figure out what information is in what location.

Someone in IT should be shot for not changing to a different method of delivery of this information to the IRS. It is very hard to lose an electronic transmission :)

JackAugust 4, 2008 1:14 AM

Loosing someones personal information is a real bad thing. There should be some level of security in order to ensure the safety of personal data. It should be stored with tight encoding scripts and kept with appropriate security.

==============
Jack
Kansas Treatment Centers

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..