Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Audit Uncovers IRS Security Flaws

Tax agency not doing enough to protect taxpayer data on laptops, PCs, according to Treasury report

This tax season, the Internal Revenue Service is looking for something besides mistakes in your returns. It's looking for some missing laptops.

The IRS is not doing enough to protect taxpayer data on portable PCs and other mobile devices, according to a new report from the Treasury Department's Inspector General for Tax Administration. Over the past three years, the tax agency has lost nearly 500 laptops containing personal information on at least 2,300 taxpayers, and probably more, the report says.

Between 2003 and 2006, the IRS has reported the loss or theft of some 490 laptops in 387 separate incidents, the TIGTA says. Some 176 of the incidents probably involved no taxpayer data.

"For the remaining 211 incidents, we analyzed the incident writeups as of June 2006 and found 126 contained sufficient details to show that personal information for at least 2,359 individuals was involved," the report says. "We were unable to identify the nature of the data loss and the identities of taxpayers whose information may have been lost for the other 85 of 211 incidents due to lack of details in the incident writeups."

To get an idea of what the lost laptops might have contained, the TIGTA took a random sample of 100 laptops at the IRS and examined them for sensitive data and security policy violations.

"We determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data," the report says. "As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data." Fifteen of the 44 machines were also found to have weak or inadequate password protection.

"Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive," the report continues. "We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted." The IRS currently supports about 100,000 employees.

The TIGTA also audited the data at four of the IRS's offsite backup facilities. "Backup data were not encrypted and adequately protected at the four sites," the report states.

"For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media," the report notes. "Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006."

The TIGTA recommended that the IRS refine its incident response procedures to collect more detailed information on the taxpayers who might be affected by future losses. The report also recommends that the tax agency "consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees’ discretion as to what data to encrypt."

In a lengthy response, the IRS's IT organization said it agrees with the recommendation and has already begun to implement such an encryption system. No word yet on whether penalties and interest have accrued.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.