[ISN] Inspector General Report: Two IRS Applications Leave Taxpayer Data at Risk

From: InfoSec News <alerts_at_private>
Date: Fri, 17 Oct 2008 01:29:35 -0500 (CDT)

By Kelly Jackson Higgins
Senior Editor
Dark Reading
OCTOBER 16, 2008

The Internal Revenue Service left taxpayer data exposed by deploying two 
major computer systems despite knowing that they harbor security 
vulnerabilities, according to a report [1] released publicly today by 
the Treasury Inspector General for Tax Administration (TIGTA).

The inspector general office says the IRS’s mainframe-based Customer 
Account Data Engine (CADE) for managing taxpayer accounts and its 
Account Management Services (AMS) for IRS access to taxpayer data 
contain flaws identified that the IRS identified but did not fix before 
rolling them out last year. The billion-dollar, high-sensitivity CADE 
system is one of the key elements of the IRS’s computer modernization 
program, and processed about 20 percent of the 142 billion tax returns 
filed to the IRS, according to the Associated Press.

CADE contains vulnerabilities that could lead to potential 
administrative privilege abuse, malware attacks, and unauthorized access 
to the system and its data. Among the other flaws highlighted in the 
report is a lack of configuration management, storage, and disaster 
recovery deficiencies, and no actual security guidelines or plans for 
connecting the system to other government agencies’ systems. The IRS 
also sends personally identifiable information from CADE within its data 
centers in clear text, and leaves its backup systems unencrypted.

AMS, meanwhile, includes taxpayer identification numbers in its 
application error log, and its operating system has only a 77.8 percent 
compliance rate with the required security settings, according to the 

TIGTA is unaware of any taxpayer data actually getting compromised or 
falling into the wrong hands, but the data was exposed on these systems, 
according to the agency. 

[1] http://www.treas.gov/tigta/auditreports/2008reports/200820163fr.pdf


Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Thu Oct 16 2008 - 23:29:35 PDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 23:44:10 PDT