Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Audit Uncovers IRS Security Flaws

Tax agency not doing enough to protect taxpayer data on laptops, PCs, according to Treasury report

This tax season, the Internal Revenue Service is looking for something besides mistakes in your returns. It's looking for some missing laptops.

The IRS is not doing enough to protect taxpayer data on portable PCs and other mobile devices, according to a new report from the Treasury Department's Inspector General for Tax Administration. Over the past three years, the tax agency has lost nearly 500 laptops containing personal information on at least 2,300 taxpayers, and probably more, the report says.

Between 2003 and 2006, the IRS has reported the loss or theft of some 490 laptops in 387 separate incidents, the TIGTA says. Some 176 of the incidents probably involved no taxpayer data.

"For the remaining 211 incidents, we analyzed the incident writeups as of June 2006 and found 126 contained sufficient details to show that personal information for at least 2,359 individuals was involved," the report says. "We were unable to identify the nature of the data loss and the identities of taxpayers whose information may have been lost for the other 85 of 211 incidents due to lack of details in the incident writeups."

To get an idea of what the lost laptops might have contained, the TIGTA took a random sample of 100 laptops at the IRS and examined them for sensitive data and security policy violations.

"We determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data," the report says. "As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data." Fifteen of the 44 machines were also found to have weak or inadequate password protection.

"Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive," the report continues. "We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted." The IRS currently supports about 100,000 employees.

The TIGTA also audited the data at four of the IRS's offsite backup facilities. "Backup data were not encrypted and adequately protected at the four sites," the report states.

"For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media," the report notes. "Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006."

The TIGTA recommended that the IRS refine its incident response procedures to collect more detailed information on the taxpayers who might be affected by future losses. The report also recommends that the tax agency "consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees’ discretion as to what data to encrypt."

In a lengthy response, the IRS's IT organization said it agrees with the recommendation and has already begun to implement such an encryption system. No word yet on whether penalties and interest have accrued.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.