[ISN] IRS Computers Vulnerable

From: mea culpa (jerichoat_private)
Date: Thu Jan 14 1999 - 18:44:04 PST

  • Next message: mea culpa: "[ISN] Norway Court Backs Internet Hackers"

    [Moderator: "The audit by the congressional General Accounting Office of
     six IRS facilities also found that 397 computer tapes containing taxpayer
     data had been lost." - Why does this scare me so?]
    
    Forwarded From: Will Spencer <will.spencerat_private>
    
    http://abcnews.go.com/sections/tech/DailyNews/irscomputers990112.html
    IRS Computers Vulnerable
    GAO Says Taxpayer Data At Risk 
    By Curt Anderson
    The Associated Press
    
    W A S H I N G T O N, Jan. 13 Chronic weaknesses in the IRS computer system
    are putting sensitive personal information about taxpayers at risk of
    improper uses, including theft and fraud, according to an audit released
    on Tuesday. 
    
    The audit by the congressional General Accounting Office of six IRS
    facilities also found that 397 computer tapes containing taxpayer data had
    been lost. 
         "Personal information on IRS computers is at risk to unauthorized
    disclosure, destruction or modification, and most alarmingly, to identity
    theft," said Senate Governmental Affairs Committee Chairman Fred Thompson,
    R-Tenn., who requested the audit. 
         The GAO credited the Internal Revenue Service with making some major
    leaps forward in improving computer security since another critical audit
    in April 1997. The IRS says it has corrected 75 percent of the problems
    identified in that report. 
    
    A List of Problems 
    
    But the GAO said "serious weaknesses" remain. Among them:
         * Computer hackers could access IRS data with relative ease
           because information isn&#0146;t encrypted before it is transmitted
           over telephone lines. IRS says it has no evidence such a crime has
           occurred.
         * Too many IRS employees have access to sensitive computing areas,
           and some tapes containing taxpayer information have been lost. 
         * Employees without a need to know have the ability to change or
           delete taxpayer information. Some tapes and disks are not
           overwritten before being used again, allowing unauthorized access
           to some of this information, including Social Security numbers. 
         * The new IRS system aimed at catching employees who illegally
           "browse" through taxpayer files is working on only one of several
           computer systems, and it cannot detect which activities are
           legitimate and which are not.
         * Few contingency plans are in place in case of disaster, such
           as an alternative computer processing site or effective backup
           electric generators. 
    
    IRS Working On Problems 
    
    In a written response, IRS Commissioner Charles Rossotti said he agreed
    with many of the conclusions and GAO recommendations, but he insisted that
    the agency is well on the way to a more complete turnaround. 
         Rossotti, whose background in the private sector focused on
    information systems, said the initial focus has been on larger data
    processing systems and it is now moving into other areas. But he noted
    that making these changes at the agency's over 1,000 facilities cannot be
    completed in a few years. 
         A new centralized IRS systems office completed a review of what
    needed to be done at all district offices in December and has now begun
    examining all other offices. 
         "We believe that managing risk and prioritizing corrective actions
    and resources is the key to making needed and measurable improvements,"
    Rossotti said in his response. "Protecting taxpayer information and the
    systems used to deliver services to taxpayers are key to the success of a
    customer-focused IRS." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:49 PDT