IRS Security Holes Put Taxpayer Data At Risk

Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:34:56


With the deadline for filing U.S. tax returns fast approaching, the U.S. Government’s watchdog agency warns that the Internal Revenue Service still hasn’t implemented steps to secure its IT infrastructure and protect taxpayers’ financial data.

The U.S. Government Accountability Office (GAO) issued a report on March 15 saying that the IRS still hasn’t fully implemented key components of a comprehensive information security program. In fact around 74 percent of known weaknesses in the IRS’s IT infrastructure remain unresolved or unmitigated, GAO found. The failures could make the IRS’s financial systems and information “unnecessarily vulnerable to insider threats, including errors or mistakes and fraudulent or malevolent acts by insiders,” the report found.

The IRS is the U.S. Government’s tax collection agency. In 2010, the
agency processed more than 144 million individual and 2.4 million
corporate tax returns, totalling $1.4 trillion dollars.

The report,”IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data” (GAO-11-308) is the product of an more comprehensive GAO audit of the IRS’s 2009 and 2010 financial statements. The GAO assessed whether the IRS had implemented adequate controls over key financial and tax processing systems to ensure the integrity of those systems and of taxpayer data. The GAO evaluated the IRS’s IT security policies and procedures and tested controls over “key financial applications.” The findings were not encouraging.According to GAO, IRS does not sufficiently restrict user access to databases based on user role – a problem reported more than three years ago. Nor does the IRS adequately secure the system it uses to support and manage access requests, approvals and review. Database software used to support the IRS’s general ledger system weren’t updated and lacked sufficient auditing features.

In all, 65 of 88 of IT control weaknesses that had been previously reported to IRS were unresolved or unmitigated, GAO found. More troubling: the IRS’s own efforts to track its progress in fixing those problems seemed to be unreliable. GAO found that the agency reported that it had resolved 39 of the 88 previously identified weaknesses, but a review of those fixes revealed that 16 of the 39 weaknesses had not been mitigated.

The result is that “financial and taxpayer information are at increased risk of unauthorized disclosure, modification or destruction,” while financial data is “at increased risk of errors that result of misstatement; and the agency’s management decisions may be based on unreliable or inaccurate financial information,” GAO said.

The GAO recommended a number of steps to improve information security at the IRS. Among them: regular risk assessments following significant changes to the IRS’s systems, changes to password controls and an updated application security plan.

The IRS’s Commissioner of Internal Revenue, Douglas Shulman, responded to the report, saying that agency takes the security of taxpayer data seriously and is “steadily progressing toward eliminating the material weakness in information security by establishing enterprise repeatable processes.” The IRS will issue a “detailed corrective action plan” addressing each of the recommendations in the GAO report, GAO said.

This isn’t the first time that the GAO has criticized the IRS’s IT security practices. A report in 2008 found “pervasive weaknesses” in the IRS’s IT security practices. The agency failed to enforce strong passwords, encrypt sensitive data, monitor changes on its mainframe systems or physically protect critical IT resources.