Thompson: IRS Was Unable to Adequately Protect
Electronically Filed Taxpayer Data
GAO Report Outlines Vulnerability of Taxpayer
Information Submitted
Electronically During Last Year’s Tax Season
Washington, DC - Senate Governmental Affairs
Committee Chairman Fred Thompson (R-TN) today released a General
Accounting Office (GAO) report which reveals that during last
year’s tax filing season the Internal Revenue Service (IRS)
did not take adequate steps to protect the security of
electronic filing systems and electronically transmitted
taxpayer data. As a result, unauthorized individuals, both
inside and outside the IRS, could have gained access to the IRS
electronic filing systems and viewed and modified taxpayer data.
"Government agencies that collect and
maintain citizens’ personal data must make information
security and privacy a priority," said Chairman Thompson,
who met with IRS Commissioner Charles O. Rossotti earlier this
year to discuss the vulnerabilities and the steps the IRS is
taking to address them. "We don’t know if there were
internal or external security breaches last year, but the
potential was there and that’s unacceptable. I hope the IRS
will go the extra mile to protect citizens’ data from being
viewed, modified or stolen by unauthorized personnel."
The report, Information Security: IRS
Electronic Filing Systems, outlines how the IRS did not take
adequate steps to assess risks and monitor the effectiveness of
security controls over electronically filed tax return data last
year. In fact, controls that were designed to ensure the
security, privacy and reliability of the IRS’s systems did not
work. For example, GAO security experts were able to break into
these systems and view the information contained in them. GAO
was successful in gaining such access because IRS at that time
had:
not effectively restricted external access
to computers supporting the e-file program;
not securely configured the operating
systems of its electronic filing systems;
not implemented adequate password
management and user account practices;
not sufficiently restricted access to
computer files and directories containing tax return data
and other system data; or
not used encryption to protect tax return
data on e-file systems.
Thompson noted that since last year, the IRS,
which encourages people to file their returns electronically,
has taken corrective steps to ensure that the privacy and
security of taxpayer data is not compromised. Those actions have
not yet been tested for their accuracy and reliability by
outside security experts and the IRS intends to have them tested
in the near future. According to Mr. Rossotti, "We
have strengthened our systems’ security, and we will remain
vigilant to keep our e-file process the safest possible."
-031501-
|