Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Audit Uncovers IRS Security Flaws

Tax agency not doing enough to protect taxpayer data on laptops, PCs, according to Treasury report

This tax season, the Internal Revenue Service is looking for something besides mistakes in your returns. It's looking for some missing laptops.

The IRS is not doing enough to protect taxpayer data on portable PCs and other mobile devices, according to a new report from the Treasury Department's Inspector General for Tax Administration. Over the past three years, the tax agency has lost nearly 500 laptops containing personal information on at least 2,300 taxpayers, and probably more, the report says.

Between 2003 and 2006, the IRS has reported the loss or theft of some 490 laptops in 387 separate incidents, the TIGTA says. Some 176 of the incidents probably involved no taxpayer data.

"For the remaining 211 incidents, we analyzed the incident writeups as of June 2006 and found 126 contained sufficient details to show that personal information for at least 2,359 individuals was involved," the report says. "We were unable to identify the nature of the data loss and the identities of taxpayers whose information may have been lost for the other 85 of 211 incidents due to lack of details in the incident writeups."

To get an idea of what the lost laptops might have contained, the TIGTA took a random sample of 100 laptops at the IRS and examined them for sensitive data and security policy violations.

"We determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data," the report says. "As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data." Fifteen of the 44 machines were also found to have weak or inadequate password protection.

"Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive," the report continues. "We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted." The IRS currently supports about 100,000 employees.

The TIGTA also audited the data at four of the IRS's offsite backup facilities. "Backup data were not encrypted and adequately protected at the four sites," the report states.

"For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media," the report notes. "Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006."

The TIGTA recommended that the IRS refine its incident response procedures to collect more detailed information on the taxpayers who might be affected by future losses. The report also recommends that the tax agency "consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees’ discretion as to what data to encrypt."

In a lengthy response, the IRS's IT organization said it agrees with the recommendation and has already begun to implement such an encryption system. No word yet on whether penalties and interest have accrued.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.