Audits and reports warned of IRS computer safety risks

Kevin McCoy | USA TODAY

Show Caption Hide Caption IRS says thieves stole tax info from 100,000 IRS says thieves used online agency service to get access to 100,000 tax returns. (May 26)

Government monitors repeatedly warned of IRS computer security risks long before Tuesday's disclosure that identity thieves had stolen tax agency data for roughly 100,000 U.S. households.

At least seven federal audits and other reports from 2007 to 2014 outlined dangers that ranged from failures in IRS database controls to hiring an ex-con without a background check and failing to screen for other workers who had access to personal data for millions of taxpayers.

"Computer security has been problematic for the IRS since 1997," according to an October 2014 report by the Treasury Inspector General for Tax Administration, the government monitor for the nation's tax agency.

So problematic, that TIGTA has ranked security for taxpayer data and IRS employees as among the tax agency's top management challenges every year at least since 2004.

The U.S. Government Accountability Office separately warned last year that despite IRS computer security improvements, "weaknesses remain that could affect the confidentiality, integrity and availability of financial and sensitive taxpayer data."

Shortcomings identified by the GAO included the IRS' failure to restrict physical access to computer resources, along with the use of weak encryption for authentication on many of the tax agency's computer servers.

The IRS agreed with many of the findings and said corrections would be made. However, tax agency officials have contended that IRS budget cuts approved by Congress have made it harder to implement upgraded security safeguards.

The tax agency believes the new data breach originated with suspects in Russia, CNN reported Wednesday, citing two unidentified people briefed on the investigation.

The IRS issued standard security configurations for its databases in March 2006, TIGTA said.

Just over a year later, oversight auditors tested security controls on 17 databases from eight tax administration applications.

"Collectively, these databases failed 30% of our tests," the TIGTA audit concluded. "Exploitation of the vulnerabilities found could result in unauthorized accesses to taxpayer information and ultimately result in identity theft or fraud."

The IRS agreed with audit recommendations to correct the weaknesses.

But a subsequent audit completed in May 2011 said TIGTA auditors "could not determine if the weaknesses were entered, addressed, or closed."

"As a result we have no assurance that the previous security weaknesses were corrected," the auditors wrote.

The 2011 audit identified additional security issues. IRS non-mainframe databases that contained taxpayer data were not always securely configured to guard against potential breaches, TIGTA reported.

IRS databases also ran outdated software that no longer received security patches and other support. Additionally, auditors reported that the IRS bought a vulnerability scanning and compliance assessment tool without completing adequate evaluation and testing.

"As a result, the IRS spent more than $1.1 million in software licenses and support tools for a tool that was not fully implemented," the audit concluded.

An April 2012 TIGTA audit report said the IRS office responsible for around-the-clock checks for cyberattacks and computer vulnerabilities was not monitoring 34% of the tax agency's computer servers.

The IRS office, known as the Computer Security Incident Response Center, also had failed to send required reports about all computer security incidents to the Treasury Department, auditors reported.

Moreover, the monitoring center's operating procedures "are not formalized and are outdated and incomplete," TIGTA concluded.

The IRS agreed to make most corrective actions recommended with the audit findings.

But results of another TIGTA audit in 2013 found that the IRS had only partly implemented eight out of 19 recommended corrections for risks related to security of systems involving taxpayer data. The IRS nonetheless listed all 19 as fully completed, the audit showed.

Yet another audit, completed in January 2013, reported several delays in IRS implementation of a program designed to provide continuous monitoring of the tax agency's workstation security.

Initially scheduled for deployment by December 2010, the completion date was pushed back to May 2013, TIGTA reported.

Reviewing IRS vendor contracts, a 2014 TIGTA audit discovered that a courier who transported IRS documents, including tax returns, to and from the IRS and postal offices, had not been put through a background check.

That courier had a record of serving 21 years in prison for arson, retaliation and attempted escape, the audit reported.

Similarly, a company awarded an IRS contract to print and mail tax forms received a compact disk with 1.4 million taxpayers' names, addresses and Social Security numbers.

"None of the contractor personnel who worked on this contract underwent a background investigation," auditors concluded.

Asked in February by USA TODAY whether the nation's tax agency was secure from computer hackers, IRS Commissioner John Koskinen replied: "The best response is never to think you're safe."

We're getting people from around the world trying to figure out how to get in, because if you could get into the IRS, it's a great place to get data. We have firewalls, anything that's state-of-the-art, we have," Koskinen said. "That's something we've spent money on, something we're focused on. Thus far, we haven't had a significant breach, but are literally always under attack."