IRS Fails Security Audit, 490 Computers Missing In 3 Years

Taxpayers' sensitive personal and financial information has been "unnecessarily exposed" because of the lost or stolen computers, according to the report.
After undergoing its own audit, the government has reported that the IRS lost 490 computers between 2003 and 2006, and is not adequately protecting sensitive taxpayer information.

The Treasury's Inspector General said in a report last month that the IRS is not only losing hundreds of computers and storage devices, but is failing to encrypt data and is using weak passwords.

The audit also reported that because of the missing computers, personal information was compromised for at least 2,359 U.S. taxpayers, but the total can't be calculated because records don't list what information was stored on many of the machines.

"As a result, it is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and/or other fraudulent schemes," said Michael R. Phillips, deputy inspector general, in the report. He added that he believes it is very likely that a large number of the missing computers contain sensitive, unencrypted information.

The IRS, which has 100,000 employees, annually handles 220 million tax returns, which contain personal financial and identifying information, like addresses and Social Security numbers. The agency has issued 47,000 laptops to employees.

The report showed that it was unclear what information was on many of the missing computers and if any of it had been encrypted. Phillips, however, said his investigators did their own analysis of 100 laptops currently in use and 44 of them contained unencrypted, sensitive data on taxpayers and agency employees.

According to the report, 15 of those 44 laptop computers with unencrypted data had security weaknesses, such as weak passwords and user names, which also could be exploited.

"As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," Phillips wrote. "Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive. We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted."

Phillips noted that a 2003 audit found similar problems but the IRS has not taken corrective actions to secure critical data.

IRS employees, according to the report, are allowed to take computers holding taxpayer information, out of the agency's offices. A "large number" of laptops were reported stolen from employees' vehicles and homes.

Just as sobering, 111 of the missing computer incidents occurred inside IRS offices.

The agency has reported losing an increasing number of computers every year since 2003.

The report is part of the government's annual 2006 Audit Plan.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing