TIGTA report: IRS taxpayer data is vulnerable to hackers

By AccountingWEB Staff
 
Personal information sent to the IRS is vulnerable to hackers, according to an audit report released Thursday.
 
Among the findings of the IRS watchdog, the Treasury Inspector General for Tax Administration (TIGTA):
 
  • 2,200 databases used by the IRS to manage and process taxpayer information are not secure, are run on out-of-date software, and do not get security patches.
  • The IRS did not fully implement a $1.1 million database vulnerability scanning and compliance assessment tool.
"Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity," J. Russell George, the inspector general in charge of the audit, said in a statement.
 
The IRS issued its own statement in response to the report, which is reprinted below.
 
The audit report said that, increasingly, databases are being targeted by attackers, citing a 2009 report that found that 30 percent of all known security breaches were against databases. "This trend was particularly disturbing because when a database was breached, 75 percent of the records were compromised," the report said.
 
Auditors tested the primary databases for 13 applications that support tax administration business processes. All of the databases had high and medium-risk vulnerabilities, the report said. The report noted that no single office is in charge of ensuring that databases are configured properly; rather, it is a "loosely shared responsibility" across several offices.
 
The report also said that "vulnerability scans" of the databases were incomplete and were not conducted often enough. The scanning tool was never fully employed, the report said. The IRS cited major technical difficulties due to multiple implementations of the database software across the agency.
 
The report included seven recommendations to improve database security. The IRS agreed with the recommendations, and issued the following statement:
 
"The IRS takes the security of our databases very seriously. We want to be very clear that while this report points out a number of technical issues, many of which have been resolved, there is no direct assertion that any taxpayer data is at risk. In fact, it should be noted that many of the databases referenced in this report don't store any taxpayer data at all.
 
"The IRS emphasizes these databases are used internally and are not directly accessed by the public.
 
"Security enhancement is an ongoing investment as the external world changes. We continue to make substantial investments, and test our capabilities on an ongoing basis.
 
"It's also important to note there have been no actual data breaches involving these databases."
 
 
Related items:

You may like these other stories...

Many senior US tax professionals believe that a streamlined audit process will be the top benefit resulting from the IRS Transfer Pricing Audit Roadmap, a new toolkit organized around a notional 24-month audit timeline,...
Tax accounting to be simplified for money-market fundsThe US Securities and Exchange Commission (SEC) voted 3-2 on Wednesday for sweeping changes to institutional money-market funds, Emily Chasan, senior editor of...
By Cathy Stopyra and Todd SimmensUnderpayment interest, refund interest, and penalties charged to businesses are just a few of the considerations the IRS calculates when determining taxation for a given company. Though...

Upcoming CPE Webinars

Jul 31
In this session Excel expert David Ringstrom helps beginners get up to speed in Microsoft Excel. However, even experienced Excel users will learn some new tricks, particularly when David discusses under-utilized aspects of Excel.
Aug 5
This webcast will focus on accounting and disclosure policies for various types of consolidations and business combinations.
Aug 20
In this session we'll review best practices for how to generate interest in your firm’s services.