Report finds security weaknesses in IRS computer system

Monday, April 7, 2008 | 10:21 p.m. CDT; updated 8:35 p.m. CDT, Sunday, July 20, 2008

WASHINGTON — One more tax-season dread: A week before the filing deadline, Treasury watchdogs said Monday that poor controls over IRS computers could allow a disgruntled employee, agency contractor or outside hacker to steal taxpayers’ confidential information.

Indeed, a hacker might even “gain full control of the IRS network,” according to Monday’s report from the office of the Treasury Inspector General for Tax Administration.

Information on taxes, help before April 15

Taxes due April 15

The post office at 511 E. Walnut St. will be open from 8:30 a.m. to 7 p.m. on April 15. Don’t want to stand in line? Go to room 101 to get any packages stamped with the correct date. Source: Jackie Cook, postmaster of the Columbia Post Office

For tax help:

Volunteers for AARP Tax-Aid offer free tax help to low-income individuals: 9:15 a.m. to 12:30 p.m. Monday, Wednesday and Friday through April 15 in the Training Center at the Columbia Public Library, 100 W. Broadway. The library will continue to offer tax aid at the same times until April 30 for returns concerning stimulus packages. 3 to 7 p.m. Mondays and Tuesdays and 11 a.m. to 3 p.m. Thursdays through April 15 at Missouri United Methodist Church, 204 S. Ninth St. MU Extension offers assistance for working individuals and families with incomes less than $40,000: 4:30 to 8 p.m. Tuesdays, Wednesdays and Thursdays, 10 a.m. to 1:30 p.m. Saturdays through April 15 in 61 Stanley Hall at MU, and from 10 a.m. to 1:30 p.m. Mondays and Wednesdays through April 14 at Central Missouri Community Action, 400 Wilkes Blvd. For information about nonresident tax assistance for MU students, faculty and staff, visit Sources: Online at the Columbia Public Library’s “Local Taxpayer Assistance” and Cyrus Harbourt, AARP Tax-Aid coordinator

Investigators did not cite any specific cases of wrongdoing within the IRS, which processes some 137 million tax returns. But they suggested a lack of review means someone could get sensitive information and no one would ever know.

The report comes amid increasing scrutiny of the IRS and the problems posed both by security concerns within the system and identity theft threats from outside:

  • The independent IRS Oversight Board, in a report issued last month, outlined some $32 million in spending it said was needed to enhance the tax agency’s security. “Disrupting IRS returns processing and stealing sensitive information could wreak havoc on the economy and financial markets,” according to the report.
  • Separately, IRS Commissioner Douglas Shulman will testify before Congress on Thursday about scams in which people are fooled into revealing their Social Security numbers and other confidential information by e-mails and phone calls purported to be coming from the IRS. The tax agency said last month that taxpayers this year had already forwarded to the agency 33,000 ‘phishing’ scam e-mails from more than 1,500 different schemes.

Inside the IRS, Monday’s inspector general report dealt specifically with the thousands of routers and data switches that connect networks and direct computer traffic among the tax agency’s offices. It suggested that “an unscrupulous person could divert data traffic through a third-party system on its way to the intended destination.”

A review found that the IRS had authorized 374 accounts for employees and contractors that could be used to perform system administration duties. But of those, 141 either had expired authorizations or had never been properly authorized.

There was particular concern that 27 of the 55 employees and contractors who apparently had not been authorized had accessed routers and switches to change security configurations.

In addition, system administrations circumvented authentication controls by setting up 34 unauthorized accounts that appeared to be shared-use accounts, the report found. During the fiscal 2007, some 4.4 million of the 5.2 million accesses to the control system were made by these 34 user accounts.

The IRS issued a statement Monday saying it had “taken a number of steps to improve the control and monitoring of routers and switches. The IRS emphasizes it is not aware that any taxpayer data has been compromised due to a security breach. We continue to work to improve our security capabilities of our technology assets, and we have extensive intrusion-monitoring capabilities to watch for potential breaches.”

The Inspector General’s office faulted the IRS for not adequately reviewing the “audit trail” logs that could help identify questionable activity.

“As a result, malicious persons could exploit vulnerabilities in the routers and switches to gain unauthorized access to sensitive information and disrupt computer operations with little chance of detection,” the report said.

The IRS, in response, agreed to most of the report’s recommendations for tightening controls. It said it would lock employee use accounts after 45 days of inactivity and remove those accounts after 90 days without use. It also said it would ensure that no unauthorized or unnecessary shared accounts exist in the control system.

The report follows a study by the congressional Government Accountability Office in January prodding the tax agency to fix dozens of information security weaknesses that left taxpayer records vulnerable to tampering or disclosure.

Then-acting IRS Commissioner Linda Stiff responded that the agency recognized “there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses.”

There have been several widely publicized information-security incidents concerning government agencies other than the IRS. Perhaps the biggest was two years ago when a computer hard drive containing millions of names, Social Security numbers and birth dates was stolen from a Veterans Affairs employee’s home in Maryland. The hard drive was later recovered.

Less than two months ago, a laptop computer containing medical records on 2,500 patients enrolled in a National Institutes of Health study was stolen from a researcher’s car.

And last month, Secretary of State Condoleezza Rice apologized to presidential candidates Hillary Rodham Clinton, Barack Obama and John McCain after it was discovered that workers had snooped into their passport records.

Like what you see here? Become a member.

Show Me the Errors (What's this?)

Report corrections or additions here. Leave comments below here.

You must be logged in to participate in the Show Me the Errors contest.


Leave a comment

Speak up and join the conversation! Make sure to follow the guidelines outlined below and register with our site. You must be logged in to comment. (Our full comment policy is here.)

  • Don't use obscene, profane or vulgar language.
  • Don't use language that makes personal attacks on fellow commenters or discriminates based on race, religion, gender or ethnicity.
  • Use your real first and last name when registering on the website. It will be published with every comment. (Read why we ask for that here.)
  • Don’t solicit or promote businesses.

We are not able to monitor every comment that comes through. If you see something objectionable, please click the "Report comment" link.

You must be logged in to comment.

Forget your password?

Don't have an account? Register here.