[ISN] IRS security flaws expose taxpayer data to snooping, GAO finds

InfoSec News isn at c4i.org
Tue Apr 19 09:14:22 EDT 2005


By Andy Sullivan
APRIL 18, 2005

Security flaws in computer systems used by the Internal Revenue
Service expose millions of taxpayers to potential identity theft or
illegal police snooping, according to a congressional report released

The IRS also is unlikely to know if outsiders are browsing through
citizens' tax returns because it doesn't effectively police its
computer systems for unauthorized use, the Government Accountability
Office found.

The report was released three days after the deadline for filing
personal income tax returns, and at a time when concerns about
identity theft and computer security are running high. "This lack of
systems security at the IRS is completely unacceptable and needs to be
corrected immediately," said Rep. James Sensenbrenner (R-Wis.),
chairman of the House Judiciary Committee.

The IRS promised to fix any problems and find out if tax returns had
been exposed to outsiders.

Over the past several years, the agency has taken steps to protect the
information it collects, the report found. The agency has fixed 32 of
the 53 problems that turned up in a 2002 review. But the GAO found 39
new security problems on top of the 21 that remain unfixed.

Along with $2 trillion in tax receipts, the IRS also collects
information on money laundering and other possible financial crimes
for the government's financial-intelligence office. But barriers
between tax returns and money-laundering reports don't exist, the GAO
found. Thus, a police officer checking up on money-laundering reports
can also read personal tax returns, in violation of federal law.

In all, 7,500 IRS employees, law enforcers and outside contractors can
access and modify tax returns and financial-crime reports, the GAO
found. A master list of passwords and usernames is also widely
available, the report said.

"Increased risk exists that unauthorized users could ... claim a user
identity and then use that identity to gain access to sensitive
taxpayer or Bank Secrecy Act data," the report said.

Identity thieves have used stolen passwords to gain access to nearly
half a million profiles of U.S. citizens maintained by data brokers
ChoicePoint Inc. and LexisNexis, a division of Reed Elsevier.

In a letter dated April 14, a Treasury Department official said many
of the security holes portrayed in the report have been fixed and
other updates should be completed by October. The agency will figure
out whether tax returns and financial-crime information have been
inappropriately disclosed, Acting Deputy Treasury Secretary Arnold
Havens said.

An IRS spokesman declined to comment further.

Rep. John Conyers (D-Mich.) said the Judiciary Committee will consider
whether additional measures are needed to strengthen computer

More information about the ISN mailing list