IRS Security Faults Leave Taxpayer Data At Risk

coondoggie writes "In this tax season, when billions of dollars and tons of personal information is relayed to and from the government, it's more than disconcerting to hear that the Internal Revenue Service is still struggling to keep private information secure. A report out Friday from watchdogs at the Government Accountability Office says about 69% of the tax agency's previously noted security flaws remain unfixed and continue to jeopardize the confidentiality, integrity, and availability of the IRS's systems (PDF). The problems put the IRS at increased risk of unauthorized disclosure, modification, or destruction of financial and taxpayer information, the GAO concluded."

These are basic best practices.

[DJRumpy]

Shameful that any company would fail at these basic tasks. It would take any competent admin very little time to compose policies that would effectively handle most of these. the others would require procedural changes but why would they continue to let the issue go if they know it's an audit exposure? (no pun intended)

From TFA:

For example, the GAO stated that the IRS continues to:

        * use passwords that are not complex,
        * ineffectively remove application accounts in a timely manner for separated employees,
        * allow personnel excessive file and directory permissions,
        * allow the unencrypted transmission of user and administrator login information,
        * install security patches in an untimely manner

Re:These are basic best practices.

[Vellmont]

                * use passwords that are not complex,
                * ineffectively remove application accounts in a timely manner for separated employees,
                * allow personnel excessive file and directory permissions,
                * allow the unencrypted transmission of user and administrator login information,
                * install security patches in an untimely manner

I've seen most of those items every place I've worked. None of them are particularly "red alert" type problems on their own. For instance, are the passwords that aren't complex on publicly accessible systems? Someone logging into IRS.gov with "irs", "password" is a MAJOR MAJOR problem. Someone logging into a system only available in an IRS office with "s.johnson", "skipper2" is far less so.

The report is long and focuses on stuff auditors with no real IT experience sit around and worry about. I'm sure not going to read through the whole thing, but the parts I read are relatively yawn-worthy. An example would be how passwords were set to expire after 118 days on a certain system instead of 58 days. This despite the fact there's wide scale disagreement as to whether requiring people to change passwords has any real effect on security. Another example would be they didn't perfectly segregate important duties properly. (The example given was someone was both a database administrator and a system administrator).

The report is littered with statements like this:

For example, about 120 IRS employees had access to key documents, including cost data for input to its administrative
accounting system and a critical process-control spreadsheet used in IRS's cost allocation process. However, fewer than 10 employees needed this
access to perform their jobs...which could result in incorrect input and data processing... ultimately jeopardizing the information presented in IRS's annual financial statements.

(excuse me if this isn't something I'm going to write my congressman about)

If this is really the worst the GAO can come up with, I'd say we're all pretty safe. How many controls do you think your local H&R Block has?

Good to know

[g0bshiTe]

It's good to know that those who deal with SOX compliance and don't come into compliance are slapped hard with penalties, yet the same rules don't apply to the branch of the FEDERAL GOVERNMENT that deals with more sensitive data than any SOX umbrella'd company.

Re:Good to know

[Vellmont]

It's good to know that those who deal with SOX compliance and don't come into compliance are slapped hard with penalties,

Anyone who's ever been audited knows that the audit is all about the auditor, not about the rules. In the case of SOX, it's the company being audited who hires the auditor. The company DOING the audit isn't even liable if the the company being audited is fraudulent, and the auditor doesn't catch it. This adds up a huge conflict of interest along the lines of the bond rating companies. Who's going to hire an auditing firm that's a known bunch of sticklers?

the same rules don't apply to the branch of the FEDERAL GOVERNMENT that deals with more sensitive data than any SOX umbrella'd company.

Access to data is a very small part of what SOX is supposed to be about, and about zero reason why it was created in the first place. SOX was a reaction the the Enron scandal where they essentially had extraordinarily deceptive accounting practices that claimed they were worth billions of dollars when in fact they weren't worth much of anything. They did other tricks like create dummy corporations that traded assets back and forth to inflate worth. Citigroup was recently reported as selling their crappy worthless mortgage bonds the day before the end of a quarter for cash in exchange for buying them back the next quarter (this was actually recently). THAT is the real scam, though obviously the SOX rules didn't do much of anything to stop anyone.

If you want to get all pedantic about "the rules", go ahead. I think you miss the larger picture though.

They fscked me.

[MikeFM]

The only identity theft I've ever suffered is through the IRS. Supposedly four years ago someone else filed with my SSN. I haven't got my tax refund since. They won't talk to me about what is going on. I've done everything they've asked including filing a police report and verifying my identity with the social security office. If you call the customer support number they aren't able to help because my account is being handled by a secret agency within the IRS that not even they can talk to. They've twice sent me [different] dead phone numbers that are supposedly my point of contact for finding out what is going on. They've gone so far as to send me a bill and to threaten what will happen to me if they find out I'm doing something bad. Last year they finally sent me a letter confirming they recognize that I am me. They sent me a couple hundred dollar check (they owe me thousands) and said there might be more after further review. I've never heard from them again. This year my tax refund got flagged and lost in limbo again.