IRS Computer Security Procedures Criticized

Published April 1, 2009

The Government Accountability Office has issued a scathing report sharply criticizing the computer security systems of the Internal Revenue Service, saying the federal tax agency has failed to properly protect personal data on millions of American taxpayers.

Congress’s audit, evaluation, and investigative agency said the IRS allows “sensitive information, including IDs and passwords, to be readily available to any user on its internal network, and grants excessive access to individuals who do not need it.”

The GAO also cited the IRS in its January report for failing to encrypt data, monitor its mainframe for changes, and physically restrict access to its computers. The report identified weaknesses in numerous areas—including access control, monitoring of system access, and disaster recovery—in a new Customer Account Data Engine system the IRS is rolling out, and in a related Account Management system.

Host of Problems

According to the GAO report, contractors working for the IRS can make configuration changes without prior notice or approval. There are no processes in place for verifying whether data archived on backup tapes are being stored properly and can easily be recovered if needed, according to the report.

“This has opened up the taxpayers to a host of issues,” said Shawn Fry, CIO of Safety Send, a firm that provides secure file transfers and other security solutions. “Not only is their financial data exposed, the IRS also is failing to have a proper chain of custody to show who has access to the information.”

The personal identification information can be sold on the street for anywhere from $10 to $1,000 per account, Fry said, with the “street value” determined by the account holder’s net worth.

Compounding the Damage

“Taxpayers have already incurred substantial damages due to the lack of enforcement by regulatory agencies,” Fry added. “The IRS mandates the exchange of electronic information but doesn’t ensure that it’s secure.

“And there’s a growing pool of [criminals] out there that are not dissimilar to the Somali pirates,” Fry said. “Their bounty is your personal information. If I get the information on your tax return, I can get a house loan [or qualify for other types of credit].”

If an identity is stolen, the resulting credit and other problems can take seven to 10 years to correct, according to Fry. He said the government has misplaced its priorities by spending money on trying to repair security breaches after they’ve occurred instead of keeping the data secure in the first place by investing in encryption and other needed security tools and procedures.

Private Sector on Hold

Fry said the private sector is unlikely to do anything about the problem before there’s better enforcement of federal laws that require private firms to take extraordinary security precautions.

“The IRS needs to be on the leading edge of security precautions,” added Elizabeth Ireland, vice president of strategy for nCircle, a security auditing company based in San Francisco, California. “Hackers will go for the best information they can get. And who has that? The IRS.”

Fry agreed, pointing out the IRS has more personal information than any other government agency or private firm.

No Quick Fix

The IRS security flaws won’t be fixed any time soon, analysts say. Ireland notes building proper security or correcting security flaws is a time-consuming process.

Allan Pearlman, an independent, New York-based attorney who represents taxpayers in disagreements with the IRS, said complaints about IRS employees accessing personal taxpayer information for no justifiable reason are not uncommon, leading to occasional purges of IRS personnel.

“It seems to me that people should be working on preventing this from happening,” Pearlman said. “The IRS should be involved in increasing the integrity of the system. They have a duty to investigate these problems and stop them.”

Individual Protection Measures

But Pearlman and others agree people can’t count on the IRS to protect their information. Individuals must take steps themselves to protect it, including making sure their personal computers have the latest security updates, particularly if filing taxes electronically.

In addition, experts suggest communicating with the IRS via phone and letter when discussing private information, and not leaving tax return information where others can see it online or offline.

Phil Britt ([email protected]) writes from South Holland, Illinois.

For more information …

Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, Government Accountability Office, January 9, 2009: