There is an even bigger threat to your invoice information you are not yet aware of, even if no public security hacks have been reported.
Both on our blog and on our Twitter account, we often stress the importance of data security. Failures of this security can lead to data breaches which can result in significant costs for companies. This is especially relevant when we are talking about invoice information, as this contains pricing information. Many governments around the world are currently implementing real-time reporting systems, which require taxpayers to share this sensitive information with the tax authority. In this blogpost, we will explain why it is important to protect this extremely valuable data, even from governments.
Invoice information, a valuable good
Data breaches can be highly costly. One of the “best” examples is the Yahoo data breach. Some argue that this data breach costes Yahoo’s shareholders $1 billion or more. It is harder to put a direct price tag on the exposure of invoice information, but it is fairly easy to show why this would significantly hurt businesses and even an entire economy.
IBFD’s Zsolt Szatmari formulated the importance of invoice information as follows: “If that [invoice information] would be exposed, you could see for example that a supplier might be charging different prices for the same goods to different business partners.” No business owner would want this to happen, as it would seriously harm the customer relationship of the company suffering a data breach. Furthermore, it could damage the company’s reputation.
The exposure of invoice information can even have a national impact if the pricing information falls into the hands of a foreign competitor. Namely, this foreign competitor can use the pricing information to adjust its own prices to perfectly outcompete the domestic company. When a company within a vital sector of the economy suffers from this situation, it could have far reaching consequences for the entire economy. This could be especially dangerous when a foreign government instructs hackers to expose this type of information. Such a scenario is not unrealistic as these government hacks seem to occur more often every year. A prime example is the alleged Russian government’s hack of SolarWind’s proprietary software Orion network monitoring program which destroyed the security of top US government agencies and tech companies. This is an extremely delicate situation as “the data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents”.
Protecting your invoice information, even from your own government
The risks described above all came from ‘outside’, either from a competing (foreign) company or a foreign state actor. However, data breaches can also be the result of human error by government officials. An absolutely harrowing example was the exposure of the information of 191 million US voters. The cause of the data breach: an incorrectly configured database. A less extreme, but nonetheless very telling, example is a data breach that occured in Singapore. In December 2019 a Singaporese government official inadvertently sent the personal information of 6,541 people to 41 individuals and 22 organisations. Although minor compared to the information of 191 voters, it shows that such errors are easily made: it only takes an email sent to the wrong person to create a data breach.
Next to protection from human error within one’s own government, invoice information should also be protected from corrupt government officials. Important to note, and we cannot stress this enough, is that most governments and government officials will do everything they can to protect the privacy and confidentiality of its taxpayers. Unfortunately, there are a few too many examples of data breaches that were the result of corruptible government officials. An extreme example was recently discovered by the researchers of Bellingcat. Bellingcat found that it is possible to acquire, for a couple of hundred euros, detailed phone records of Russian Federal Security Service (FSB) agents.
With this data one can analyse the whereabouts of this FSB agent, with whom they were in contact and where he stayed during the day. Bellingcat even managed to buy information about Anatoli Tsjepoega, one of the people involved in the attack on double agent Sergei Skripal, such as his drivers license, social security number, address, type of car, number plate and traffic tickets. But not just the FSB agents were targets, in the past the same agency also offered to sell information to other parties either making some money on the side or trying to achieve a political goal. The point being you do not have to only protect against hackers, which is already difficult and expensive, you also have to protect against state actors, which one might argue is almost impossible.
Although the sale of citizen’s data on the black market does not happen in all states, it shows that governments have direct access to a lot of sensitive data. It only takes one human error or one corruptible government official to create a serious data breach.
How to protect invoice information while increasing government VAT revenue
In order to increase VAT revenue, many governments around the world are implementing real-time reporting systems. These systems require VAT registered businesses to report their invoices to the tax authority. The results of real-time reporting in countries that already implemented such a system is impressive. For example, Italy reduced the time needed to detect a fraudster from 18 months to 3 months and Egypt managed to increase its VAT revenue by 15% due to real-time reporting.
The fact that data breaches often occur because of human error and corruption should be taken into account when implementing a real-time reporting system. Unfortunately, this does not yet seem to be the case as often all data is stored in plain text so that government officials can analyse the data if necessary. The different examples described above show that this is a very risky way of storing such valuable information.