Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Audit Uncovers IRS Security Flaws

Tax agency not doing enough to protect taxpayer data on laptops, PCs, according to Treasury report

This tax season, the Internal Revenue Service is looking for something besides mistakes in your returns. It's looking for some missing laptops.

The IRS is not doing enough to protect taxpayer data on portable PCs and other mobile devices, according to a new report from the Treasury Department's Inspector General for Tax Administration. Over the past three years, the tax agency has lost nearly 500 laptops containing personal information on at least 2,300 taxpayers, and probably more, the report says.

Between 2003 and 2006, the IRS has reported the loss or theft of some 490 laptops in 387 separate incidents, the TIGTA says. Some 176 of the incidents probably involved no taxpayer data.

"For the remaining 211 incidents, we analyzed the incident writeups as of June 2006 and found 126 contained sufficient details to show that personal information for at least 2,359 individuals was involved," the report says. "We were unable to identify the nature of the data loss and the identities of taxpayers whose information may have been lost for the other 85 of 211 incidents due to lack of details in the incident writeups."

To get an idea of what the lost laptops might have contained, the TIGTA took a random sample of 100 laptops at the IRS and examined them for sensitive data and security policy violations.

"We determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data," the report says. "As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data." Fifteen of the 44 machines were also found to have weak or inadequate password protection.

"Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive," the report continues. "We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted." The IRS currently supports about 100,000 employees.

The TIGTA also audited the data at four of the IRS's offsite backup facilities. "Backup data were not encrypted and adequately protected at the four sites," the report states.

"For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media," the report notes. "Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006."

The TIGTA recommended that the IRS refine its incident response procedures to collect more detailed information on the taxpayers who might be affected by future losses. The report also recommends that the tax agency "consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees’ discretion as to what data to encrypt."

In a lengthy response, the IRS's IT organization said it agrees with the recommendation and has already begun to implement such an encryption system. No word yet on whether penalties and interest have accrued.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...