By Brian Krebs
washingtonpost.com Staff Writer
Thursday, January 15, 2009 9:00 AM
Taxpayer data remains dangerously vulnerable to theft and unauthorized access due to widespread computer security weaknesses at the Internal Revenue Service, two new government reports conclude.
The Government Accountability Office reported Friday that the tax-collecting arm of the U.S. government had addressed fewer than half of the 115 security holes the oversight agency previously cited.
In particular, the GAO said the IRS isn't doing enough to bar employees from unnecessarily accessing taxpayer data. "IRS continues to, among other things, allow sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network," the report said. The GAO also said the IRS still does not encrypt certain types of sensitive information.
A separate report released today by the Treasury Department's Inspector General for Tax Administration found similar weaknesses pervasive in the latest installment of the IRS's "Modernized e-File" program, which provides businesses an easy way to file online tax returns, forms and schedules.
Currently that system does not support direct, personal income tax filing by consumers. However, the IRS has slated the projected $673 million modernized filing system to accept individual tax returns before its scheduled completion date of 2020.
In a written response to the Treasury report, IRS officials said they had resolved nine of the 13 vulnerabilities reported by investigators and have plans in place to resolve the remaining security loopholes by the end of 2009.
The 26-page analysis, by the inspector general's office, also accused IRS administrators of moving forward with the new e-file system even though auditors had warned that by doing so, it would leave the network dangerously exposed.
"We believe that the lack of attention to security controls during developmental phases can be traced to other business requirements, filing season pressures, and deployment demands," said J. Russell George, Treasury's inspector general. "These concerns have taken precedence over security concerns, and executive-level management was not adequately engaged to ensure that security needs and requirements were being implemented."
The inspector general's office also said the e-file system lacked adequate audit controls to record whether an IRS employee had gained unauthorized access to taxpayer records.
The report said that any IRS employee with access to the agency's internal network could have logged in to the computer system that is designed to administer security settings on the network.
A federal law passed in 1997 makes it a criminal offense for IRS employees to inspect or disclose tax information without proper approval, a crime punishable by jail time and fines.
But this hasn't stopped some employees from snooping into taxpayer files. Over the past decade, the inspector general's office has investigated 4,704 cases of potential violations of that law, resulting in criminal prosecutions against 176 IRS employees.
In addition, Treasury investigations of alleged violations of that law have led to 444 employee removals or firings, 407 suspensions and more than 350 other disciplinary actions. Another 883 employees resigned form the IRS during an investigation or before personnel action could be taken.
In August 2008, a 56-year-old IRS tax examiner in Covington, Ky., was sentenced to three years of probation and 60 hours of community service for improperly accessing the tax records of nearly 200 celebrities, including former Cincinnati Reds players and Cincinnati Bengals Head Coach Marvin Lewis.