GAO Blasts IRS Security, Says Taxpayer Data Vulnerable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:17 PM

GAO Blasts IRS Security, Says Taxpayer Data Vulnerable

Government Accounting Office says lack of security controls means the IRS might not even know if an identity breach has already occurred.

The Internal Revenue Service hasn't done enough to lock up taxpayer information, the General Accounting Office (GAO) said in a recent report, and unless the tax collector gets in gear, there's a chance massive identity theft could put millions of Americans at risk to criminals.

"This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," said Rep. F. James Sensenbrenner (R-Wis.), the chairman of the House Judiciary Committee, which received the report from the GAO.

The news comes as stories on identity theft, security breaches, and lost customer data make the news nearly daily. The most recent: a hack of a retailer's database that exposed 1.4 million customer accounts.

"In the past few months, we have seen actual breaches of personal information by data collection agencies affecting hundreds of thousands of private citizens. We must not allow similar breaches to occur on the part of the government," added Rep. John Conyers (D-Mich.), the ranking Democrat on the Judiciary Committee, in a statement.

According to the GAO report, the IRS is actually losing ground. In 2002, when the accounting agency did its last security review, it found 53 weaknesses. Since then, the IRS has corrected or mitigated 32. In the meantime, another 39 weaknesses have popped up to boost the current total to 60.

"[The] IRS has not implemented effective electronic access controls to prevent, limit, or detect unauthorized access to computing resources from the internal IRS computer network," stated the report in GAO-ese. In plainer English, there are numerous ways that taxpayer information--including Social Security numbers, income, addresses, and phone numbers--could be illegally accessed.

The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have the ability to access and even change "sensitive taxpayer" data. Lack of other security controls and wide-open access privileges mean that the IRS might not even know if an identity breach has occurred, said the GAO.

All the GAO could conclude was that "taxpayer data may have been disclosed to unauthorized individuals."

The IRS is also in charge of data for the Bank Secrecy Act, which is used by law enforcement and federal agencies to investigate financial crimes such as money laundering and terrorist funding ventures. That data, said the GAO, is not properly separated from taxpayer information, which can give police investigators illegal access to IRS records.

During its August-through-December, 2004, audit, the GAO tested the IRS's security, and found it wanting. "Law enforcement could read or copy taxpayer information," the report said.

Other flaws included unpatched servers vulnerable to general in-the-wild exploits, improperly-secured password files, and the omission of Unix and Windows systems in the IRS's disaster recovery plans.

"Unless these weaknesses are corrected, sensitive taxpayer and Bank Secrecy Act data will remain at risk of unauthorized disclosure, use, modification, or destruction, possibly without detection," the report concluded.

In his official reply to the report, the acting deputy secretary for the Treasury, Arnold Havens, said that some changes had already been made to address the GAO's concerns, and that others would be wrapped up by the end of fiscal 2005.

Havens also promised that the IRS, which is part of the Treasury Department, "will assess the extent to which taxpayer data may have potentially been disclosed to unauthorized individuals."

The full GAO report can be downloaded in PDF format from the agency's Web site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll