chevron-down Created with Sketch Beta.

GPSolo Magazine

GPSolo Magazine Article Archives

Impossible to Be Sure of Anything but Hacking and Taxes

James Ellis Arden

Summary

  • Any efficient way for a hacker to earn a living is to shut down an entity’s computer system until the victim pays the hacker a ransom to get the system back up and running.
  • With hacking pervasive across industries, one related question is whether ransomware payments are tax deductible.
  • Neither the Treasury Department, Congress, nor the Internal Revenue Service has addressed ransomware, which involves payments similar to bribery, extortion, and kidnapping.
Impossible to Be Sure of Anything but Hacking and Taxes
tadamichi via Getty Images

Jump to:

Imagine you’re on the freeway, headed to court. The sun is shining. No clouds in the sky. Suddenly, wiper fluid starts spraying up on your windshield so you can’t see. You switch on your windshield wipers, but they don’t work. Bam! You hit the car in front of you. Your car has been hacked.

Modern cars are full of micro-computers and connect to the Internet like everything else these days. That makes automobiles as susceptible to hackers as anything else connected to the Internet, such as phones, refrigerators, and baby monitors.

Researchers hacked a Jeep Cherokee in 2015, remotely turning on the air conditioning and using the windscreen wipers while squirting wiper fluid onto the windshield. They paralyzed the steering wheel while the car was in motion, disabled the car’s brakes, and caused unintended acceleration. Hackers have engaged car brakes remotely and accelerated a car against the driver’s will. A 2020 article by Leah Campbell quotes digital privacy expert Ray Walsh as saying, “it is only a matter of time before new wireless exploits are discovered in the wild.” Campbell goes on to say that if a hacker wanted to hurt you physically and could access your car’s systems, this would be one way to do that: “There is a very real danger that car hacking could be used for purposes of covert assassination.” This, from that edgy, controversial publication, Readers Digest (Leah Campbell, “Five Ways Hackers Can Take Control of Your Car,Reader’s Digest, Apr. 15, 2020).

Tax firms are being hacked, too. Tax returns are a gold mine for identity thieves because they contain most of the information required to open accounts in other people’s names. Tax return records have been stolen from (at least) dozens of smaller tax firms hacked just this year (“Small Firms Hacked for Tax Returns,” West Virginia Society of CPAs).

Small firm or large, the duties to preserve confidentiality are the same. Financial software maker Intuit notified users of its TurboTax platform this year that some of their personal and financial information was accessed in a series of account takeover attacks. The hackers obtained information from tax returns that included Social Security numbers, addresses, birthdates, driver’s license numbers, financial information such as salaries and deductions, and information of other individuals contained in the returns. Intuit suggested the hackers were able to break into its users’ accounts because those taxpayers had—stupidly (my characterization)—used the same passwords on other sites, from which their login information had been stolen (Mayank Sharma, “TurboTax Customer Accounts Affected by Cyberattack,” TechRadar, June 14, 2021).

Hacking is Much Easier Than Kidnapping

We’ve all been told not to use the same password on different websites. But password theft isn’t the worst danger from hacking. Ransomware is where the real money’s being stolen. Turns out, a really efficient way for a hacker to earn a living is to shut down an entity’s computer system until the victim pays the hacker a ransom to get the system back up and running.

Last February, Campbell Conroy & O’Neil, a major law firm with clients such as Ford, ExxonMobil, and Coca-Cola, was hit by ransomware. The hackers encrypted and accessed a system containing confidential information. How much data was accessed or stolen is not clear, but the firm did disclose that “names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e., usernames and passwords)” may have been leaked (Brian Fung, “Ransomware Hits Law Firm with Dozens of Major Corporate Clients,” CNN Business, July 19, 2021).

Ransomware hacks are becoming increasingly frequent, fueled, some say, by the invention of cryptocurrencies such as Bitcoin. In June 2021, the world’s largest meat processor, JBS SA, announced that it paid $11 million in Bitcoin after a cyberattack forced the shutdown of its plants in the United States, Canada, and Australia. Bitcoin facilitates these crimes. “It’s fast. It’s easy. Best of all, it’s largely anonymous and hard to trace” (Greg Myre, “How Bitcoin Has Fueled Ransomware Attacks,” NPR, June 10, 2021).

Because crime and technology have taken away our privacies and enabled Internet tracking, attorneys’ cars can be identified and targeted for ransomware. When ransomware attacks move to cars, drivers will not be able to start their vehicles until they pay off the hacker. If they don’t, they’ll “have to get it towed and get all new software to start it” (Sebastian Blanco, “Car Hacking Danger Is Likely Closer Than You Think,” Car and Driver, Sept. 4, 2021).

Automotive hacks have exploded since 2015. One hacker cracked some 27,000 accounts used to manage commercial fleets through GPS signals. The hacker tracked vehicles in foreign countries, including India and the Philippines, and shut down the engines of vehicles that were stopped or traveling slower than 12 miles per hour. The hacker was also able to access information on the users from their accounts (Fredrick Kunkle, “Auto Industry Says Cybersecurity Is a Significant Concern as Cars Become More Automated,” Washington Post, Apr. 30, 2019).

Ransomware attacks on transportation companies have been reported, too. A ransomware attack on Toll Group, an Australian transportation company, affected 1,000 servers and 40,000 employees. Also, Honda was “forced to stop production” last June due to ransomware attacks on plants in Europe and Japan. Customer service and financial services networks both experienced “technical difficulties” and became unavailable. (Davey Winder, “Honda Hacked: Japanese Car Giant Confirms Cyber Attack on Global Operations,” Forbes, June 10, 2020).

There May Be a Silver Lining If You Pay Ransom for Your Car or Your Files

Though the FBI advises businesses hit with ransomware attacks not to pay the cybercriminals, the U.S. government may allow such businesses to deduct the ransom from their taxes. Multiple tax experts said such deductions are usually allowed under law and established guidance. “It’s a ‘silver lining’ to ransomware victims” (Alan Suderman and Marcy Gordon, “Hit by a Ransomware Attack? Your Payment May Be Deductible,Associated Press, June 19, 2021).

To be tax deductible, business expenses should be considered ordinary and necessary, and deductions have long been allowed for losses from more traditional crimes such as robbery or embezzlement. Authors Suderman and Gordon (Id.) note the advice of Scott Harty, a corporate tax attorney with Alston & Bird: “I would counsel a client to take a deduction for it. . . . It fits the definition of an ordinary and necessary expense.” Don Williamson, a tax professor at the Kogod School of Business at American University, explains, “It’s becoming more common, so therefore it becomes more ordinary” (Id.).

Others, however, argue that allowing ransomware payments to be deducted would entice businesses to pay ransoms against the advice of law enforcement and thereby encourage more hacking. “‘The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue,’ said Josephine Wolff, a cybersecurity policy professor at the Fletcher School of Tufts University” (Id.).

Suderman and Gordon also note that a “ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the United States. The company, which transports about 45 percent of fuel consumed on the East Coast, paid a ransom of 75 bitcoin—then valued at roughly $4.4 million” (Id.).

Neither the Treasury Department, Congress, nor the Internal Revenue Service has addressed ransomware, which involves payments similar to bribery, extortion, and kidnapping—but using software and networks.

“Heck, what’s a little extortion among friends?”—Bill Watterson

    Authors