Thompson: IRS Was Unable to Adequately Protect Electronically Filed Taxpayer Data

Washington, DC – Senate Governmental Affairs Committee Chairman Fred Thompson (R-TN) today released a General Accounting Office (GAO) report which reveals that during last year?s tax filing season the Internal Revenue Service (IRS) did not take adequate steps to protect the security of electronic filing systems and electronically transmitted taxpayer data. As a result, unauthorized individuals, both inside and outside the IRS, could have gained access to the IRS electronic filing systems and viewed and modified taxpayer data.

“Government agencies that collect and maintain citizens? personal data must make information security and privacy a priority,” said Chairman Thompson, who met with IRS Commissioner Charles O. Rossotti earlier this year to discuss the vulnerabilities and the steps the IRS is taking to address them. “We don?t know if there were internal or external security breaches last year, but the potential was there and that?s unacceptable. I hope the IRS will go the extra mile to protect citizens? data from being viewed, modified or stolen by unauthorized personnel.”

The report, Information Security: IRS Electronic Filing Systems, outlines how the IRS did not take adequate steps to assess risks and monitor the effectiveness of security controls over electronically filed tax return data last year. In fact, controls that were designed to ensure the security, privacy and reliability of the IRS?s systems did not work. For example, GAO security experts were able to break into these systems and view the information contained in them. GAO was successful in gaining such access because IRS at that time had:

        not effectively restricted external access to computers supporting the e-file program;

        not securely configured the operating systems of its electronic filing systems;

        not implemented adequate password management and user account practices;

        not sufficiently restricted access to computer files and directories containing tax return data and other system data; or

        not used encryption to protect tax return data on e-file systems.

Thompson noted that since last year, the IRS, which encourages people to file their returns electronically, has taken corrective steps to ensure that the privacy and security of taxpayer data is not compromised. Those actions have not yet been tested for their accuracy and reliability by outside security experts and the IRS intends to have them tested in the near future. According to Mr. Rossotti, “We have strengthened our systems? security, and we will remain vigilant to keep our e-file process the safest possible.”