By AccountingWEB Staff
Personal information sent to the IRS is vulnerable to hackers, according to an audit report released Thursday.
Among the findings of the IRS watchdog, the Treasury Inspector General for Tax Administration (TIGTA):
- 2,200 databases used by the IRS to manage and process taxpayer information are not secure, are run on out-of-date software, and do not get security patches.
- The IRS did not fully implement a $1.1 million database vulnerability scanning and compliance assessment tool.
"Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity," J. Russell George, the inspector general in charge of the audit, said in a statement.
The IRS issued its own statement in response to the report, which is reprinted below.
The audit report said that, increasingly, databases are being targeted by attackers, citing a 2009 report that found that 30 percent of all known security breaches were against databases. "This trend was particularly disturbing because when a database was breached, 75 percent of the records were compromised," the report said.
Auditors tested the primary databases for 13 applications that support tax administration business processes. All of the databases had high and medium-risk vulnerabilities, the report said. The report noted that no single office is in charge of ensuring that databases are configured properly; rather, it is a "loosely shared responsibility" across several offices.
The report also said that "vulnerability scans" of the databases were incomplete and were not conducted often enough. The scanning tool was never fully employed, the report said. The IRS cited major technical difficulties due to multiple implementations of the database software across the agency.
The report included seven recommendations to improve database security. The IRS agreed with the recommendations, and issued the following statement:
"The IRS takes the security of our databases very seriously. We want to be very clear that while this report points out a number of technical issues, many of which have been resolved, there is no direct assertion that any taxpayer data is at risk. In fact, it should be noted that many of the databases referenced in this report don't store any taxpayer data at all.
"The IRS emphasizes these databases are used internally and are not directly accessed by the public.
"Security enhancement is an ongoing investment as the external world changes. We continue to make substantial investments, and test our capabilities on an ongoing basis.
"It's also important to note there have been no actual data breaches involving these databases."