IT News from
Enterprise Product Reviews from
Enterprise Software News from
IT Security News from
Enterprise Storage News From
VoIP News from
IT Management Insights from
Business News from
SEARCH

April 20, 2005 (2:17 PM EDT)

GAO Blasts IRS Security, Says Taxpayer Data Vulnerable

By Gregg Keizer ,

The Internal Revenue Service hasn't done enough to lock up taxpayer information, the General Accounting Office (GAO) said in a recent report, and unless the tax collector gets in gear, there's a chance massive identity theft could put millions of Americans at risk to criminals.

""This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately,"" said Rep. F. James Sensenbrenner (R-Wis.), the chairman of the House Judiciary Committee, which received the report from the GAO.

The news comes as stories on identity theft, security breaches, and lost customer data make the news nearly daily. The most recent: a hack of a retailer's database that exposed 1.4 million customer accounts.

""In the past few months, we have seen actual breaches of personal information by data collection agencies affecting hundreds of thousands of private citizens. We must not allow similar breaches to occur on the part of the government,"" added Rep. John Conyers (D-Mich.), the ranking Democrat on the Judiciary Committee, in a statement.

According to the GAO report, the IRS is actually losing ground. In 2002, when the accounting agency did its last security review, it found 53 weaknesses. Since then, the IRS has corrected or mitigated 32. In the meantime, another 39 weaknesses have popped up to boost the current total to 60.

""[The] IRS has not implemented effective electronic access controls to prevent, limit, or detect unauthorized access to computing resources from the internal IRS computer network,"" stated the report in GAO-ese. In plainer English, there are numerous ways that taxpayer information--including Social Security numbers, income, addresses, and phone numbers--could be illegally accessed.

The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have the ability to access and even change ""sensitive taxpayer"" data. Lack of other security controls and wide-open access privileges mean that the IRS might not even know if an identity breach has occurred, said the GAO.

All the GAO could conclude was that ""taxpayer data may have been disclosed to unauthorized individuals.""

The IRS is also in charge of data for the Bank Secrecy Act, which is used by law enforcement and federal agencies to investigate financial crimes such as money laundering and terrorist funding ventures. That data, said the GAO, is not properly separated from taxpayer information, which can give police investigators illegal access to IRS records.

During its August-through-December, 2004, audit, the GAO tested the IRS's security, and found it wanting. ""Law enforcement could read or copy taxpayer information,"" the report said.

Other flaws included unpatched servers vulnerable to general in-the-wild exploits, improperly-secured password files, and the omission of Unix and Windows systems in the IRS's disaster recovery plans.

""Unless these weaknesses are corrected, sensitive taxpayer and Bank Secrecy Act data will remain at risk of unauthorized disclosure, use, modification, or destruction, possibly without detection,"" the report concluded.

In his official reply to the report, the acting deputy secretary for the Treasury, Arnold Havens, said that some changes had already been made to address the GAO's concerns, and that others would be wrapped up by the end of fiscal 2005.

Havens also promised that the IRS, which is part of the Treasury Department, ""will assess the extent to which taxpayer data may have potentially been disclosed to unauthorized individuals.""

The full GAO report can be downloaded in PDF format from the agency's Web site.


   Try TechWeb's RSS Feed!
(Note: The feed delivers stories from TechWeb.com only, not the entire TechWeb Network.)
SECURITY WHITE PAPERS AND REPORTS
Auditing: What You Need to Know
All companies must go through a formal auditing process to ensure they're meeting various compliance demands. In theory, this exercise will help them understand where their security holes are and how to make appropriate improvements. But how do companies ensure their auditors understand specific IT security issues and requirements? We find out.

Using QUALYSGUARD to meet SOX compliance & IT control objectives
As a guideline to achieve SOX compliance, the SEC has mandated that organizations use a recognized internal control framework—specifically the recommendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). This document shows how CobIT provides the actionable framework for compliance with COSO.

Regulatory Compliance and Critical System Protection: The Role of Mission-Critical Power and Cooling in Data Integrity and Availability
This white paper addresses the regulatory compliance issues that impact business continuity planning and how mission-critical power, cooling, and monitoring strategies support business continuity.

Keeping Up Your SOX Compliance - And Turning IT into a High Performer by Improving Change Control
Learn how to sustain ongoing SOX compliance efforts by recognizing & implementing the IT controls that deliver long-term competitive advantages as well as meeting SOX requirements. This paper provides guidance to improve your Sarbanes-Oxley program efforts and highlights key information on Tripwire and to the many ways we can support your efforts.

Top ten search terms from the TechWeb TechEncyclopedia

Extending the Enterprise Network Through Mobility

Best practices in imaging consolidation

Keys to Information Management

Top ten search terms from the TechWeb TechEncyclopedia

Related White Papers

CAREER CENTER
Ready to take that job and shove it?
SEARCH
Function:

Keyword(s):

State:
SPONSOR

RECENT JOB POSTINGS
CAREER NEWS
If you're thinking about establishing yourself in Second Life -- or are wondering whether you should -- we've got five rules that will help your new venture be a success.

The global defense and tech company is seeking tech professionals skilled in Web site development, general software development, database administration, digital manufacturing, SAP/ABAP, complex CAD/CAM and PLM activities.

Advertisement






Specialty Resources

Featured Microsite

Related Links


Microsites

Featured Topic

Additional Topics

Crush The Competition

TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.

Techencyclopedia

Get definitions for more than 20,000 IT terms.