Security News > 2005 > April > [ISN] IRS security flaws expose taxpayer data to snooping, GAO finds

[ISN]	IRS security flaws expose taxpayer data to snooping, GAO finds
2005-04-19 13:14

http://www.computerworld.com/securitytopics/security/story/0,10801,101166,00.html By Andy Sullivan APRIL 18, 2005 REUTERS Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today. The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, the Government Accountability Office found. The report was released three days after the deadline for filing personal income tax returns, and at a time when concerns about identity theft and computer security are running high. "This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," said Rep. James Sensenbrenner (R-Wis.), chairman of the House Judiciary Committee. The IRS promised to fix any problems and find out if tax returns had been exposed to outsiders. Over the past several years, the agency has taken steps to protect the information it collects, the report found. The agency has fixed 32 of the 53 problems that turned up in a 2002 review. But the GAO found 39 new security problems on top of the 21 that remain unfixed. Along with $2 trillion in tax receipts, the IRS also collects information on money laundering and other possible financial crimes for the government's financial-intelligence office. But barriers between tax returns and money-laundering reports don't exist, the GAO found. Thus, a police officer checking up on money-laundering reports can also read personal tax returns, in violation of federal law. In all, 7,500 IRS employees, law enforcers and outside contractors can access and modify tax returns and financial-crime reports, the GAO found. A master list of passwords and usernames is also widely available, the report said. "Increased risk exists that unauthorized users could ... claim a user identity and then use that identity to gain access to sensitive taxpayer or Bank Secrecy Act data," the report said. Identity thieves have used stolen passwords to gain access to nearly half a million profiles of U.S. citizens maintained by data brokers ChoicePoint Inc. and LexisNexis, a division of Reed Elsevier. In a letter dated April 14, a Treasury Department official said many of the security holes portrayed in the report have been fixed and other updates should be completed by October. The agency will figure out whether tax returns and financial-crime information have been inappropriately disclosed, Acting Deputy Treasury Secretary Arnold Havens said. An IRS spokesman declined to comment further. Rep. John Conyers (D-Mich.) said the Judiciary Committee will consider whether additional measures are needed to strengthen computer security. _________________________________________ Network Security - http://www.auditmypc.com Free vulnerability test - How secure is your computer?


News URL

http://www.computerworld.com/securitytopics/security/story/0,10801,101166,00.html