TIGTA report: IRS taxpayer data is vulnerable to hackers

By AccountingWEB Staff
Personal information sent to the IRS is vulnerable to hackers, according to an audit report released Thursday.
Among the findings of the IRS watchdog, the Treasury Inspector General for Tax Administration (TIGTA):
  • 2,200 databases used by the IRS to manage and process taxpayer information are not secure, are run on out-of-date software, and do not get security patches.
  • The IRS did not fully implement a $1.1 million database vulnerability scanning and compliance assessment tool.
"Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity," J. Russell George, the inspector general in charge of the audit, said in a statement.
The IRS issued its own statement in response to the report, which is reprinted below.
The audit report said that, increasingly, databases are being targeted by attackers, citing a 2009 report that found that 30 percent of all known security breaches were against databases. "This trend was particularly disturbing because when a database was breached, 75 percent of the records were compromised," the report said.
Auditors tested the primary databases for 13 applications that support tax administration business processes. All of the databases had high and medium-risk vulnerabilities, the report said. The report noted that no single office is in charge of ensuring that databases are configured properly; rather, it is a "loosely shared responsibility" across several offices.
The report also said that "vulnerability scans" of the databases were incomplete and were not conducted often enough. The scanning tool was never fully employed, the report said. The IRS cited major technical difficulties due to multiple implementations of the database software across the agency.
The report included seven recommendations to improve database security. The IRS agreed with the recommendations, and issued the following statement:
"The IRS takes the security of our databases very seriously. We want to be very clear that while this report points out a number of technical issues, many of which have been resolved, there is no direct assertion that any taxpayer data is at risk. In fact, it should be noted that many of the databases referenced in this report don't store any taxpayer data at all.
"The IRS emphasizes these databases are used internally and are not directly accessed by the public.
"Security enhancement is an ongoing investment as the external world changes. We continue to make substantial investments, and test our capabilities on an ongoing basis.
"It's also important to note there have been no actual data breaches involving these databases."
Related items:

You may like these other stories...

Regulators struggle with conflicts in credit ratings and auditsThe Public Company Accounting Oversight Board (PCAOB), which was created by the Sarbanes-Oxley Act in 2002, released its third annual report on audits of...
Could the IRS disallow Ice Bucket Challenge charitable contributions?Unless you’ve been living under a rock, you’ve probably heard of – or participated in – the ALS Ice Bucket Challenge.I was...
As a general rule, a taxpayer can deduct the full amount of monetary contributions made to a qualified charitable organization, as long as certain substantiation requirements are met. These donations are typically made...

Already a member? log in here.

Upcoming CPE Webinars

Aug 26
This webcast will include discussions of recently issued, commonly-applicable Accounting Standards Updates for non-public, non-governmental entities.
Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.