IRS security flaws may expose taxpayer, banking data

IRS security flaws may expose taxpayer, banking data

The Internal Revenue Service is putting taxpayers at risk of identity theft or other unauthorized uses of their personal data because of computer security flaws, according to the Government Accountability Office. Even as IRS has fixed some security weaknesses, others have emerged, and the tax agency may not even know if data has been compromised.

IRS has repaired 32 of 53 previously identified security weaknesses, but auditors uncovered 39 more during their review process, the GAO said in a report this week.

For example, IRS has not implemented effective electronic access controls over its mainframe computers in order to separate taxpayer data from Bank Secrecy Act data that it processes for the Treasury Department's Financial Crimes Enforcement Network. The Bank Secrecy Act is designed to prevent financial institutions from being used to launder funds or transfer money for criminal and terrorist acts.

IRS also does not provide an audit trail of its servers through which to monitor users and transactions, the GAO said.

'Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,' said Gregory Wilshusen, director of GAO's information security issues. GAO conducted its review from August through December 2004.

According to the report, IRS should determine if any taxpayer or Bank Secrecy data has been disclosed to unauthorized individuals. The tax agency should also complete its comprehensive security program, including fully implementing security policies and procedures, providing specialized training to employees with security responsibilities and instituting periodic testing and evaluation of its systems to ensure compliance with security procedures.

IRS says it has already put in place some corrective actions at its regional computing centers, including designating IT security officers, properly configuring access rights to IRS' mainframe computers and auditing access activity.

In response to the GAO report, Arnold Havens, Treasury's acting deputy secretary, said the comprehensive security plan will be completed by the end of the fiscal year as part of the department's compliance with the Federal Information Security Management Act.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.