More trouble for IRS security


April 8, 2008 at 12:00a.m.

A hacker could gain control of the IRS network, a Treasury watchdog says.

WASHINGTON (AP) — One more tax-season dread: A week before the filing deadline, Treasury watchdogs said Monday that poor controls over IRS computers could allow a disgruntled employee, agency contractor or outside hacker to steal taxpayers’ confidential information.

Indeed, a hacker might even “gain full control of the IRS network,” said a report Monday from the office of the Treasury Inspector General for Tax Administration.

Investigators did not cite any specific cases of wrongdoing within the IRS, which processes some 137 million tax returns. But they suggested a lack of review means someone could get sensitive information and no one would ever know.

The report comes amid increasing scrutiny of the IRS and the problems posed both by security concerns within the system and identity theft threats from outside:

UThe independent IRS Oversight Board, in a report issued last month, outlined some $32 million in spending it said was needed to enhance the tax agency’s security. “Disrupting IRS returns processing and stealing sensitive information could wreak havoc on the economy and financial markets,” it said.

USeparately, IRS Commissioner Douglas Shulman will testify before Congress on Thursday about scams in which people are fooled into revealing their Social Security numbers and other confidential information by e-mails and phone calls purported to be coming from the IRS. The tax agency said last month that taxpayers this year had already forwarded to the agency 33,000 ‘phishing’ scam e-mails reflecting more than 1,500 different schemes.

Inside the IRS, Monday’s inspector general report dealt specifically with the thousands of routers and data switches that connect networks and direct computer traffic among the tax agency’s offices. It suggested that “an unscrupulous person could divert data traffic through a third-party system on its way to the intended destination.”

A review found that the IRS had authorized 374 accounts for employees and contractors that could be used to perform system administration duties. But of those, 141 either had expired authorizations or had never been properly authorized.

There was particular concern that 27 of the 55 employees and contractor who apparently had not been authorized had accessed routers and switches to change security configurations.

In addition, the IRS issued a statement Monday saying it had “taken a number of steps to improve the control and monitoring of routers and switches.”

By using this site, you agree to our privacy policy and terms of use.

» Accept
» Learn More