By Gregg Keizer ,
The Internal Revenue Service hasn't done enough to lock up taxpayer information, the General Accounting Office (GAO) said in a recent report, and unless the tax collector gets in gear, there's a chance massive identity theft could put millions of Americans at risk to criminals.
""This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately,"" said Rep. F. James Sensenbrenner (R-Wis.), the chairman of the House Judiciary Committee, which received the report from the GAO.
The news comes as stories on identity theft, security breaches, and lost customer data make the news nearly daily. The most recent: a hack of a retailer's database that exposed 1.4 million customer accounts.
""In the past few months, we have seen actual breaches of personal information by data collection agencies affecting hundreds of thousands of private citizens. We must not allow similar breaches to occur on the part of the government,"" added Rep. John Conyers (D-Mich.), the ranking Democrat on the Judiciary Committee, in a statement.
According to the GAO report, the IRS is actually losing ground. In 2002, when the accounting agency did its last security review, it found 53 weaknesses. Since then, the IRS has corrected or mitigated 32. In the meantime, another 39 weaknesses have popped up to boost the current total to 60.
""[The] IRS has not implemented effective electronic access controls to prevent, limit, or detect unauthorized access to computing resources from the internal IRS computer network,"" stated the report in GAO-ese. In plainer English, there are numerous ways that taxpayer information--including Social Security numbers, income, addresses, and phone numbers--could be illegally accessed.
The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have the ability to access and even change ""sensitive taxpayer"" data. Lack of other security controls and wide-open access privileges mean that the IRS might not even know if an identity breach has occurred, said the GAO.
All the GAO could conclude was that ""taxpayer data may have been disclosed to unauthorized individuals.""
The IRS is also in charge of data for the Bank Secrecy Act, which is used by law enforcement and federal agencies to investigate financial crimes such as money laundering and terrorist funding ventures. That data, said the GAO, is not properly separated from taxpayer information, which can give police investigators illegal access to IRS records.
During its August-through-December, 2004, audit, the GAO tested the IRS's security, and found it wanting. ""Law enforcement could read or copy taxpayer information,"" the report said.
Other flaws included unpatched servers vulnerable to general in-the-wild exploits, improperly-secured password files, and the omission of Unix and Windows systems in the IRS's disaster recovery plans.
""Unless these weaknesses are corrected, sensitive taxpayer and Bank Secrecy Act data will remain at risk of unauthorized disclosure, use, modification, or destruction, possibly without detection,"" the report concluded.
In his official reply to the report, the acting deputy secretary for the Treasury, Arnold Havens, said that some changes had already been made to address the GAO's concerns, and that others would be wrapped up by the end of fiscal 2005.
Havens also promised that the IRS, which is part of the Treasury Department, ""will assess the extent to which taxpayer data may have potentially been disclosed to unauthorized individuals.""
The full GAO report can be downloaded in PDF format from the agency's Web site.
|
BreakthroughIT seeking Project Manager in Groton, CT
Monsanto seeing IT Transportation and Optimization Analyst in St. Louis, MO
Princeton Financial Systems seeking Business Analyst 4 in Princeton, NJ
CSAA seeking IT Analyst IV in Glendale, AZ
DisplaySearch seeking IT Project Manager in Austin, TX
For more great jobs, career-related news, features and services, please visit our ""Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
Come up to speed on KVM-over-IP solutions: Download the free buyers guide
Eliminate the effort from your Microsoft Vista migration