Report: IRS Computers Prone To Hackers

Watchdogs Say Security Weaknesses Could Threaten Confidential Taxpayer Information

(AP)  One more tax-season dread: A week before the filing deadline, Treasury watchdogs said Monday that poor controls over IRS computers could allow a disgruntled employee, agency contractor or outside hacker to steal taxpayers' confidential information.

Indeed, a hacker might even "gain full control of the IRS network," said a report Monday from the office of the Treasury Inspector General for Tax Administration.

Investigators did not cite any specific cases of wrongdoing within the IRS, which processes some 137 million tax returns. But they suggested a lack of review means someone could get sensitive information and no one would ever know.

The report comes amid increasing scrutiny of the IRS and the problems posed both by security concerns within the system and identity theft threats from outside:

The independent IRS Oversight Board, in a report issued last month, outlined some $32 million in spending it said was needed to enhance the tax agency's security. "Disrupting IRS returns processing and stealing sensitive information could wreak havoc on the economy and financial markets," it said.

Separately, IRS Commissioner Douglas Shulman will testify before Congress on Thursday about scams in which people are fooled into revealing their Social Security numbers and other confidential information by e-mails and phone calls purported to be coming from the IRS. The tax agency said last month that taxpayers this year had already forwarded to the agency 33,000 'phishing' scam e-mails reflecting more than 1,500 different schemes.

Inside the IRS, Monday's inspector general report dealt specifically with the thousands of routers and data switches that connect networks and direct computer traffic among the tax agency's offices. It suggested that "an unscrupulous person could divert data traffic through a third-party system on its way to the intended destination."

A review found that the IRS had authorized 374 accounts for employees and contractors that could be used to perform system administration duties. But of those, 141 either had expired authorizations or had never been properly authorized.

There was particular concern that 27 of the 55 employees and contractor who apparently had not been authorized had accessed routers and switches to change security configurations.

In addition, system administrations circumvented authentication controls by setting up 34 unauthorized accounts that appeared to be shared-use accounts, the report found. During the fiscal 2007, some 4.4 million of the 5.2 million accesses to the control system were made by these 34 user accounts.

The IG's office also faulted the IRS for not adequately reviewing the "audit trail" logs that could help identify questionable activity.

"As a result, malicious persons could exploit vulnerabilities in the routers and switches to gain unauthorized access to sensitive information and disrupt computer operations with little chance of detection," the report said.

The IRS, in response, agreed to most of the report's recommendations for tightening controls. It said it would lock employee use accounts after 45 days of inactivity and remove those accounts after 90 days without use. It also said it would ensure that no unauthorized or unnecessary shared accounts exist in the control system.

The report follows a study by the congressional Government Accountability Office in January prodding the tax agency to fix dozens of information security weaknesses that left taxpayer records vulnerable to tampering or disclosure.

Then-acting IRS Commissioner Linda Stiff responded at the time that the agency recognized "there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses."

There have been several widely publicized information-security incidents concerning government agencies other than the IRS. Perhaps the biggest was two years ago when a computer hard drive containing millions of names, Social Security numbers and birth dates was stolen from a Veterans Affairs employee's home in Maryland. The hard drive was later recovered.

Less than two months ago, a laptop computer containing medical records on 2,500 patients enrolled in a National Institutes of Health study was stolen from a researcher's car.

And last month, Secretary of State Condoleezza Rice apologized to presidential candidates Hillary Rodham Clinton, Barack Obama and John McCain after it was discovered that workers had snooped into their passport records.

[hypnotoad72]

JT_Lancer - I''m not disagreeing with you, but until our national debt is paid off, what can be done? Especially with an infrastructure starting to decay; we can''t do everything for free.

[jt_lancer]

Taxation is theft, plain and simple. No matter how you sugarcoat it, no matter how noble the intent.

The US managed to ''get by'' for 130 years without a federal income tax. Yet, today, we are taxed far more heavily than Americans were when they revolted against the British empire.

The best income tax is NO income tax.

This is JT Lancer and I approve this message.

[gcrosen1]

I wonder if the IRS Commish will address the rampant "identity theft" by undocumented workers in the U.S. that steal legitimate taxpayer''s social security numbers so that they can obtain employment and guess what?...the employer doesn''t care. Until you have been a victim of ID theft via this means you have no idea of the living hell it is for years to get it straightened out. First, they file a 1040 before you do and take your refund credit ($$$) and then the IRS puts a freeze on your account until it is researched and investigated, etc... Years later, if they situation is not reconciled, the Social Security Administration (SSA) may choose to issue you a new SSN. That''s what I call "FUBAR"!

[jetlizhan]

well good grief charlie brown - is there any positive news out there anymore?

[gunshack1]

It''s FUBAR not foobar. (*ucked up beyond all repair.)

[watcher269-2009]

Actually - it''s the NSA hacking into the files for Bush and Cheney! How do you think they can control everything?

BLACKMAIL! The Republican way to get ahead!

[watcher269-2009]

And Yet - TAXES are illegal according to the Constitution! If you want - but you better know what you are talking about - you don''t have to pay taxes - like Bush Senior - he doesn''t pay taxes.

[standlee5]

Oh gee, our personal information may be at risk. What else is new.

[cpaide]

"The answer is simple."
Posted by payasyougo

The answer starts simple and then gets progressively complex. Visit http://www.CPAide.com/ and search keyword "1864 Tax Return" and "1913 Tax Return" to see how it started.

What bothers me is how many intelligent people assume it''s ok for the government to take 15 percent or more of their money. Think about it for a minute. Doesn''t it seem extremely excessive? Like the 50 cents per gallon tax you pay on gasoline? That''s about 15 percent also.

I know the government needs $275 million PER DAY for the foobar in the middle east, but in 1864 (civil war foobar) and 1913 (WW I foobar) the tax on most people was only 3 percent. So why is 15 percent acceptable today?

And don''t get me started on state taxes. Go to http://www.statetaxcentral.com/ and search keyword "checklist" for help with that one.

darnedsocks wrote:

"This is really scarey. Far too often, because of the long, slow approval processes at goverment agencies, it leaves them behind in technology. I remember hearing about a hacker from eastern europe squatting on a state government server that had thousands of social security numbers and home addresses on it. It was not secure at all. The agency lacked the proper security resources to keep tabs on it and lock it down. TRULY SCAREY!"

Computer networks are only as secure as their dumbest user.

[payasyougo]

If the IRS were smart...

It would maintain a complicated, unbalanced, confusing, under-documented and conflicting system of tax regulations and utilize a self serving government to continue to compound and confound the system. It would hide behind a no consequence system of incorrect information doled out by it''s staff. It would hold taxpayers accountable for being overwhelmed by the regulations that change often enough to keep a workforce of CPA and tax attorneys growing rich (know any poor CPA or tax attorneys?). It would develop all of its software more expensively that the NSA yet with little to no concern regarding the public information they maintain. Ever see an apology from the IRS when they are wrong? They are never wrong, you just aught to be thankful you found your mistake (even though the mistake was due to confusing policy, incorrect information from the IRS over the phone, or a math error with their forms containing lines such as: "Add lines 12 through 16 and subtract line 42 then multiply by .32. If this amount is greater than line 44 then check NO for not at risk".

What a joke.

The answer is simple.

A Flat tax and it goes like this:

1.) 15% tax on all income above $60k.
2.) Zero tax below that income amount.

$60k would be the floor. There are no deductions.

You need more revenue, make it 15.04%.
Want to help the poor, increase the floor to $62k

[stn_sage]

While the IRS has had its'' problems over the years---under many administrations---it seems like it has been in meltdown mode under the current administration!

More private, confidential, personal information to be lost AGAIN?!

The LAST THING republican politicians/administrators seem to know about, is SECURITY! What the ''hay'' is that, they say?!

If it''s not the IRS, it''s Mueller and the FBI, the VA, Treasury, or the Dept. of Homeland Defense with security problems! GEEZ!

January 20, 2009 can''t get here soon enough!

[darnedsocks]

If the IRS were smart, it would pay for college educations to AMERICAN CITIZENS born & bred here in the U.S. who are willing to get a degree in Information Technology Security Systems, who would then work for them. I get so tired of hearing how they want to hire foreigners for 1/8th the salary over in India or Pakistan; then people wonder why the social security numbers and home addresses etc. get distributed throughout the globe and why the security sucks.

[darnedsocks]

This is really scarey. Far too often, because of the long, slow approval processes at goverment agencies, it leaves them behind in technology. I remember hearing about a hacker from eastern europe squatting on a state government server that had thousands of social security numbers and home addresses on it. It was not secure at all. The agency lacked the proper security resources to keep tabs on it and lock it down. TRULY SCAREY!

[kennergirl]

If the IRS was a business it would have gone under a long time ago. I don''t see why we can''t just have a flat tax and get rid of the IRS all together.