informa
/
Risk
News

Inspector General Report: Two IRS Applications Leave Taxpayer Data at Risk

IRS knowingly rolled out systems that contained security vulnerabilities

The Internal Revenue Service left taxpayer data exposed by deploying two major computer systems despite knowing that they harbor security vulnerabilities, according to a report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA).

The inspector general office says the IRS’s mainframe-based Customer Account Data Engine (CADE) for managing taxpayer accounts and its Account Management Services (AMS) for IRS access to taxpayer data contain flaws identified that the IRS identified but did not fix before rolling them out last year. The billion-dollar, high-sensitivity CADE system is one of the key elements of the IRS’s computer modernization program, and processed about 20 percent of the 142 billion tax returns filed to the IRS, according to the Associated Press.

CADE contains vulnerabilities that could lead to potential administrative privilege abuse, malware attacks, and unauthorized access to the system and its data. Among the other flaws highlighted in the report is a lack of configuration management, storage, and disaster recovery deficiencies, and no actual security guidelines or plans for connecting the system to other government agencies’ systems. The IRS also sends personally identifiable information from CADE within its data centers in clear text, and leaves its backup systems unencrypted.

AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report.

TIGTA is unaware of any taxpayer data actually getting compromised or falling into the wrong hands, but the data was exposed on these systems, according to the agency.

TIGTA’s Inspector General didn’t mince words on the severity of IRS’s handling of the new systems. "The IRS continues to struggle with security vulnerabilities in its modernized systems. It recognizes, as we all do, the inherent risk in any IT system," said J. Russell George, Inspector General for TIGTA in a prepared statement. "In the case of the CADE and AMS the Service was aware of, and even self-identified, these weaknesses. This is very troublesome."

The IRS discovered the flaws both during the software development process and during the security testing after the systems were deployed, but still went ahead with the partial rollout. And the agency didn’t run vulnerability assessment scans on the software, either, according to the report. “We believe that the IRS’ processes for ensuring that security controls are implemented before systems are deployed failed because key organizations did not consider the known security vulnerabilities to be significant, which affected vulnerability resolution and system deployment decisions,” according to the report.

The report doesn’t specify whether the vulnerabilities are buffer overflows, SQL injection, or other common security flaws in software. But these applications wouldn’t have passed the PCI standard muster with the brand of vulnerabilities they have, says Chris Wysopal, CTO of Veracode. “Some of this wouldn’t be allowed for processing credit-card data [under PCI], and here we are with someone’s full financial picture” in this system, Wysopal says. “This is much more sensitive data.”

If known vulnerabilities existed in a mainframe storing credit card information, it wouldn’t pass PCI, he says, and transmitting data in the clear like these systems do wouldn’t pass, either.

One bright spot in the report is that the IRS has set up policies and procedures for security and privacy in its software, Veracode's Wysopal says. The downside, however, is that the agency didn’t follow those rules in the design and implementation of CADE and AMS, according to the report.

The IRS will address TIGTA’s recommendations for remedying the security vulnerabilities and weaknesses, and the Inspector General will conduct another review to follow up.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Veracode
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5