Perhaps you read about the recent data breach of the InternalRevenue Service's Get Transcript website. And perhaps youmentally filed that information away with a long list of other databreaches that have made headlines over the past couple ofyears.

The story is always the same; only the names change.Cybercriminals manage to plant some form of malware on a server.That malware then harvests data from the server and ships it offvia the Internet to some under-policed part of the world. Thereit's typically sold—or as in the case of the Sony breach, it cansimply be used to embarrass someone.

Except that's not at all what happened with the IRS. Technicallyspeaking, the IRS server was not hacked. In fact, in thisparticular instance, the Get Transcript service was usedexactly as intended; it just wasn't used by the legitimate,intended taxpayers.

How can that be?

New users accessing the Get Transcript service arerequired to answer a number of security questions—questions thatthe IRS believed only the legitimate taxpayer would have theanswers to. The perpetrators of this breach made about 200,000attempts to access the system in this manner, and they weresuccessful about half the time. In other words, the perpetratorsthought they had collected enough personal information on 200,000taxpayers to make it through the security question gauntlet, andthey were correct with 100,000 of them.

Looked at yet another way, the IRS breach was actually step 2 inthis crime. Step 1 was collecting enough personal information ontens of thousands of taxpayers to execute the breach. Exactly howor where that data was collected has yet to be determined, butconsider this example:

Mother's maiden name has been a common security question fordecades. How easy is it to figure out someone's mother's maidenname?

Suppose for a moment that you have a Facebook account. Andsuppose for a moment that you've identified a particular Facebook“friend” as your mother. And suppose for a moment that to make iteasier for childhood friends to find her on Facebook, your motherhas included her maiden name in her Facebook profile. And finally,assume for a moment that neither you nor your mother has adjustedthe Facebook security settings so that currently anyone subscribedto Facebook can see both profiles.

That would mean that your mother's maiden name is just a coupleof mouse clicks away for anyone with any interest in findingit.

Whether or not the perpetrators of the IRS breach used thisparticular technique to harvest data remains to be seen. However,it's fairly certain that all of this started with taxpayers whowere sloppy with the protection of their personal information inone way or another.

No matter how innocuous the information seems, when matched upwith many other equally innocuous data points, a cybercriminal cancreate a significant and damaging profile of any credit unionmember. As your members' trusted financial partner, you have aresponsibility to keep those members informed and educated to helpthem avoid such situations.

The odd thing about crime prevention is that there's no real wayto know what you've actually prevented. You may be helping yourmembers in ways they'll never really know.