[ISN] IRS still losing laptops

From: InfoSec News (alerts@private)
Date: Fri Apr 06 2007 - 00:26:51 PDT


http://www.infoworld.com/article/07/04/05/HNirslostlaptops_1.html

By Matt Hines
April 05, 2007

A new report filed by federal security auditors finds that that the 
Internal Revenue Service has had almost 500 laptop computers lost or 
stolen over the last three years, many of which were loaded with 
sensitive taxpayer information.

In a memo authored by the Treasury Department's Inspector General for 
Audit, Michael R. Phillips, investigators maintain that the IRS is not 
adequately protecting taxpayer data on laptops and other portable 
electronic media devices. The report contends that between 2003 and 2006 
the IRS had some 490 laptops lost or stolen in 387 individual incidents.

In the missive, originally filed to IRS leaders on March 23, the 
auditors said 176 of those incidents did not involve the potential 
exposure of taxpayer data, but noted that the information of at least 
2,300 individuals was stored on the other missing laptops.

The investigators said that they were unable to deduce whether taxpayer 
information was exposed via 85 of the reported device losses, however, 
it was confirmed that the personal information of at least 3,359 
taxpayers was misplaced in the other incidents.

While chilling, the report does in fact show signs that the IRS has 
slowed the loss of computing devices over the last few years. In Jan. 
2002, the IRS admitted in a similar audit that it had lost or misplaced 
some 2,332 laptops, desktops and servers over the previous 36 months.

According to the report, a large number of the missing laptops were 
stolen from employees' vehicles and residences, with an additional 111 
of the incidents occurring within IRS facilities.

Perhaps the most notorious loss of a laptop in the federal sector came 
in May 2006 when a contractor working with the Department of Veterans 
Affairs had a computer stolen from his home that carried the personal 
data of an estimated 26.5 million people. The laptop was eventually 
recovered by law enforcement officials.

In addition to failing to properly secure their devices in and out of 
the office, the auditors said that some of the IRS' 100,000 employees 
were not properly encrypting data on their machines or utilizing 
adequate password protections.

Further, the auditors said that they conducted a test on 100 laptop 
computers currently in use by IRS employees and determined that 44 of 
the devices contained unencrypted sensitive data, including taxpayer 
data and employee personnel data.

The IRS requires usernames and passwords on its laptops, but 15 of the 
44 computers with unencrypted sensitive data also contained security 
vulnerabilities that could allow for circumvention of those tools.

"As a result, we believe it is very likely a large number of the lost or 
stolen IRS computers contained similar unencrypted data," the inspectors 
wrote in the report. "Employees did not follow encryption procedures 
because they were either unaware of security requirements, did so for 
their own convenience, or did not know their own personal data were 
considered sensitive."

The auditors also observed other computer devices, including as USB 
flash drives, CDs, and DVDs on which sensitive data were not always 
encrypted, and found in a test on the agency's off-site storage back-up 
operations that at least four of the sites lacked sufficient data 
encryption.

At one location, non-IRS employees had full access to the storage 
infrastrucutre and the agency's backup media, the report said. In 
addition, envelopes and boxes with backup media onboard were left open 
and not resealed.

At another back-up facility, a retired employee still retained full 
access rights to sensitive data. and inventory controls for backup media 
were found to be inadequate.

"We attributed these weaknesses to a lack of emphasis by management," 
the auditors wrote.

Another problem isolated in the report is a lack of consistent reporting 
of device losses to the Treasury Department's Inspector General's office 
and the IRS Computer Security Incident Response Center (CSIRC), both of 
which are required to be notified in such incidents. Inadequate 
coordination between the two groups made it harder to determine what 
types of information were on each of the missing computers, according to 
the report.

In their final recommendations, the auditors recommend that IRS leaders 
refine their incident response procedures to ensure for better 
understanding of any potential data exposure and more frequently remind 
employees to use proper device security measures. The report also 
contends that the agency should consider implementing a "systemic disk 
encryption solution" on its laptops that does not rely on employee 
interaction to protect sensitive information.

Phillips writes that IRS management agreed with all of his office's 
findings, and most of its recommendations.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Apr 06 2007 - 00:42:31 PDT