Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Audit Uncovers IRS Security Flaws

Tax agency not doing enough to protect taxpayer data on laptops, PCs, according to Treasury report

This tax season, the Internal Revenue Service is looking for something besides mistakes in your returns. It's looking for some missing laptops.

The IRS is not doing enough to protect taxpayer data on portable PCs and other mobile devices, according to a new report from the Treasury Department's Inspector General for Tax Administration. Over the past three years, the tax agency has lost nearly 500 laptops containing personal information on at least 2,300 taxpayers, and probably more, the report says.

Between 2003 and 2006, the IRS has reported the loss or theft of some 490 laptops in 387 separate incidents, the TIGTA says. Some 176 of the incidents probably involved no taxpayer data.

"For the remaining 211 incidents, we analyzed the incident writeups as of June 2006 and found 126 contained sufficient details to show that personal information for at least 2,359 individuals was involved," the report says. "We were unable to identify the nature of the data loss and the identities of taxpayers whose information may have been lost for the other 85 of 211 incidents due to lack of details in the incident writeups."

To get an idea of what the lost laptops might have contained, the TIGTA took a random sample of 100 laptops at the IRS and examined them for sensitive data and security policy violations.

"We determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data," the report says. "As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data." Fifteen of the 44 machines were also found to have weak or inadequate password protection.

"Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive," the report continues. "We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted." The IRS currently supports about 100,000 employees.

The TIGTA also audited the data at four of the IRS's offsite backup facilities. "Backup data were not encrypted and adequately protected at the four sites," the report states.

"For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media," the report notes. "Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006."

The TIGTA recommended that the IRS refine its incident response procedures to collect more detailed information on the taxpayers who might be affected by future losses. The report also recommends that the tax agency "consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees’ discretion as to what data to encrypt."

In a lengthy response, the IRS's IT organization said it agrees with the recommendation and has already begun to implement such an encryption system. No word yet on whether penalties and interest have accrued.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.