Skip to main content

Report: Taxpayer records not secure

  • Story Highlights
  • Auditors say IRS not taking enough care of access to routers and switches
  • That could give hackers, others, a chance to steal taxpayer info, auditors say
  • IRS says it has made some changes, continues to improve security controls
  • At issue: Devices that determine how sensitive info travels between IRS networks
  • Next Article in Technology »
From Mike M. Ahlers
Decrease font Decrease font
Enlarge font Enlarge font

WASHINGTON (CNN) -- The Internal Revenue Service has left sensitive taxpayer information vulnerable to disgruntled IRS employees, contractors or hackers, according to independent auditors.

The IRS has left taxpayer information vulnerable to hackers, according to Treasury Department auditors.

The IRS has not done enough to safeguard some of its computer systems, and unscrupulous people could "reconfigure routers and switches" and "steal taxpayer information in a number of ways," according to the Treasury Inspector General for Tax Administration office, which serves a watchdog function over the IRS.

The IRS says it has addressed the concerns raised in the report.

At issue is the security of routers and switches, devices that determine the proper path for data to travel between computer networks, TIGTA said. Because the IRS sends sensitive taxpayer and government information across its networks, it must have security controls to deter and detect unauthorized users.

The report did not indicate whether any taxpayer information has ever been misdirected or stolen from IRS computers. But it said that on more than 84 percent of the 5.2 million occasions that employees accessed a system to administer and configure routers, they used "accounts" that were not properly authorized.

To ensure security, the IRS had authorized 374 accounts for employees and contractors to use when they performed system administration duties, TIGTA said. Of those, authorization for 86 had expired at the time of TIGTA's review in 2007, and there was no record that 55 employee and contractor accounts had ever been authorized.

"We are particularly concerned that 27 of the 55 employees and contractors had accessed the routers and switches to change security configurations," wrote Michael R. Phillips, the deputy inspector general who wrote the report.

In addition, nine accounts were still active, even though the employees and contractors had not accessed the system for more than 90 days, the report says. The IRS should have automatically prevented users from accessing routers and switches after 90 days, it says.

The report does not say whether taxpayer information was misused, but says it is continuing to review security to see whether changes made to the computer system were appropriate or warranted.

In a written response accompanying the report, the IRS said it has made some changes and is continuing to improve the control and monitoring of controls and switches. All 369 users now have current and valid authorizations on file, the IRS said. E-mail to a friend E-mail to a friend

All About Internal Revenue ServiceU.S. Department of the TreasuryComputer Crime

  • E-mail
  • Save
  • Print
Today's Featured Product:
2011 BMW Z4 sDrive35is
 8.0 out of 10
Recent Product Reviews:
RIM BlackBerry Torch 9800 (AT&T)
 8.0 out of 10
Motorola Rambler - black (Boost Mobile)
 7.0 out of 10
Samsung UN46C6500
 6.9 out of 10