Official: IRS Computer Security Is Lax

Gov't Study Says IRS Employees Gave Out Sensitive Information Over The Phone

(AP)  IRS employees ignored security rules and turned over sensitive computer information to a caller posing as a technical support person, according to a government study.

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.

The caller asked for assistance to correct a computer problem.

The report said that by failing to question the identity of the caller the employees were putting the IRS at risk of providing unauthorized people access to taxpayer data that could be used for identity theft and other fraudulent schemes.

"This is especially disturbing because the IRS has taken many steps to raise employee awareness of the importance of protecting their computers and passwords," said Inspector General J. Russell George.

Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller.

The report said the IRS took measures to improve security after two similar test telephone calls in 2001 and 2004. "However, the corrective actions have not been effective," it said.

The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.

The IRS has nearly 100,000 employees and contractors with access to tax return information processed on about 240 computer systems and more than 1,500 databases.

[jt_lancer]

alphaa10: "Medicare is a successful federal system which the American public actually prefers to the Bush "privatization" ploy."

Successful - if you ignore the fact that the government's UNFUNDED future debt obligation to Medicare is estimated at $38.3 TRILLION.

Where will that money come from? Eventually, the system will collapse under its own dead weight, like any other government-created Ponzi scheme. And your children and grandchildren will be stuck with the bills.

Yeah, Medicare's a great system.

[darkfyreaol]

People in the US: 301,140,000+.
People in each database: 200,000 .
Number of databases: 1,500 .
Number of computers: 240 .

An IRS agent leaking your information over the phone: Priceless .

[alphaa10-2009]

omega3 said, "Can%u2019t wait till the Federal government takes over health care..."
---
Medicare is a successful federal system which the American public actually prefers to the Bush "privatization" ploy (to give Wall Street a chance to play with SSA money). As Bush said after the 2006 election, "The people have spoken..."

And none, surely, would insist the HMO debacle-- which left the US medical system trailing impoverished Cuba in infant mortality figures-- is a shining success for lowering costs to average Americans. Fewer, still, would consider the HMO even an example of good medical practice.

Medical quality does not come first with the HMO-run medical facility. The HMO was created to justify the refusal of insurance companies to pay whatever medical billings demanded. The HMO, therefore, has little or nothing to do with medical care, per se. Only billing disputes.

[alphaa10-2009]

Penetration of federal security walls is still far more successful than it should be-- after all, this is only the fourth year or so of intensified federal efforts at securing its own infrastructure-- and after spending billions of taxpayer dollars, while claiming to do so.

Bush-- our Katrina president at work-- clearly has shoved the matter into his background, as matters careen out of control elsewhere. Today, with thousands of rank incompetents in federal office thanks to a Bush spoils system for political cronies ("Heckuva job, Brownie!"), it will be at least 2008 before this digital vulnerability begins to close.

Meanwhile, other foes of the US are not waiting around, or playing. The PRC has done constant stealth penetration of US federal networks for several years, and they are much better at it than when they began. Amid this growing threat environment, we still have federal people who fall for the "pretexting" scam?

[darrellwy]

They should have been fired, other people get fired for less. What would have happened if it were not a test.

[omega39-2009]

Can%u2019t wait till the Federal government takes over health care.

Or promises us a cake walk in Iraq where people will be dancing in the streets while throwing flowers and liberation kisses.........Oh wait.

[delfmast]

www.editorialstaff.net, Franklin D. Lomax
Can you say disfunctional tax system? With millions of hardworking millionaires/billionaires, who can read and write, our tens of thousands of pages of tax regulations can never extort major portions of our wealth. We will quit creating jobs, hiring workers, manufacturing goods, and retire if necessary to legally, and morally prevent political criminals extorting our wealth. Wealthy clients purchase legal and perfectly moral efforts to reduce their taxes by meeting the letter of the law. Only the poor and disadvantaged are subject to the endless tortures devised by hundreds of thousands of IRS dullards. No sane millionaire would ever bother hiring a lawyer for reducing a 17% or so, flat rate tax that exempts all poor, and disadvantaged workers, and amply funds a government far larger than free people will tolerate. It costs more to deal with our disfunctional tax system than it costs to pay a fair flat tax. Congress objects, because their illegal, immoral campaign contribution fueled political system will disappear, replaced by statesmen volunteers, who can serve America, instead of their paying special interests. Can you say Billion dollar 2008 campaign?

[hypnotoad72]

Not surprising. A lot of people will not verify credentials, or readily pass out protected information.

And if a person says he's an employee, ask them for credentials. If not a sanctioned ID card, then a drivers license so the person can be verified by references given, if not HR.

This time it's wholly human error and these humans need to be more vigilant. It's common sense - a concept I usually have faults with, but not when it comes to computer security. Certainly not to this lax level! And, no, sometimes it feels impolite to ask for ID. But it's got to be done.

[rray52]

Just curious, did any of the employees get fired? Probley not, they have a union that donates a lot of money to political campaigns.

Can%u2019t wait till the Federal government takes over health care.

[bobnjersey]

[tax return information processed on about 240 computer systems and more than 1,500 databases. ]

sounds like a well designed system ... they're using this to maintain that 'no fly' list too.

anyone feeling safer yet?