Congressional investigators last year uncovered pervasive security gaps in the electronic filing systems at the Internal Revenue Service that potentially left the tax return data of millions of individuals and businesses vulnerable to hackers, according to a government report issued yesterday.
The report by investigators at the General Accounting Office outlines "serious weaknesses" in the IRS's electronic filing systems during the 2000 tax season that placed taxpayers' personal data at risk. The GAO, the investigative arm of Congress, conducted the test last May at the request of Sen. Fred Thompson (R-Tenn.), chairman of the Senate Governmental Affairs Committee.
Although IRS Commissioner Charles Rossotti said there's no evidence that any data was compromised or stolen, security experts said the gaps found by the GAO are so basic that hackers with entry-level skills could have easily gained access to the IRS network without being detected.
According to the report, GAO auditors were able to breach the IRS's filing system using a standard handheld computer. Vulnerabilities stemmed from the agency's failure to take several basic security precautions, such as restricting access to the filing system, properly configuring operating systems and firewalls, enforcing password protection, and using encryption to secure tax returns as they were transmitted from third-party tax preparation firms and stored on IRS systems.
"Given these vulnerabilities, you don't have to be a very sophisticated hacker to get into the system," said Drew Williams, director of intrusion-detection systems at Intrusion.com Inc., a Richardson, Texas-based security software and appliance developer. "When a firewall is not configured properly or [is] left open, it means that anybody with the least sophisticated tools can take a look."
However, the vulnerabilities may also have opened the entire IRS network to hackers, according to the report. In fact, IRS personnel "turned off" network control devices to speed up the processing of electronic tax returns, according to GAO investigators. "These actions exposed other systems attached to IRS's wide-area network to unauthorized access," the report concluded.
In addition, the agency also approved individuals who had a history of unpaid tax liabilities, filed late tax returns or filed false tax returns to be electronic filing trading partners, stated the report. Such individuals could pose a significant insider threat to the data, experts said.
More than 35 million Americans filed their tax returns online last year. The IRS, which collects more than $1.9 trillion in taxes and issues refunds of about $850 billion annually, plans to significantly expand its electronic filing initiative by 2007 to cover as many as 80% of all tax returns filed.
However, the latest GAO report isn't the first to lambast the IRS for lax information security. In 1999, the GAO slapped the IRS with a failing grade in security for providing insufficient controls on internal security and collections.
An official familiar with the IRS systems in question said the GAO's testing coincided with Y2k vulnerabilities that hadn't yet been fixed. However, the official, who requested anonymity, also said that many of the systems use "such Stone Age technology that I doubt anyone GAO could hire today as a 'hacker' would know what it was -- or how to crack into it."
The report further noted that the IRS assisted the GAO during its testing and that hackers would obviously be breaking into the system on their own.
John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn., said the IRS system was easy pickings for most hackers. "So many government Web servers are vulnerable to such a wide variety of attacks that I will bet your next tax refund that a good attacker could have gotten into the e-file servers," he said. "I personally do not file electronically because of the sorry state of Web security."
Paul Overhauser, president of eSmart Corp., an Indianapolis-based security consulting firm, said it's "disappointing to learn that the private financial information of individuals and businesses is, in essence, free for the taking due to the lackadaisical approach to security taken by the IRS." According to Overhauser, a greater concern is that the report could significantly diminish the public's confidence in government because the IRS had previously identified the vulnerabilities that were used to infiltrate its systems.
In a letter to the GAO dated Feb. 8, Rossotti said the agency took "timely" steps to bolster security as soon as the GAO's findings were brought to his attention.
"To put it simply, taxpayers can feel safe and secure using e-filing during the 2001 filing system," Rossotti said. The IRS commissioner also said the agency will notify taxpayers on its Web site of the "inherent risks" associated with using third parties to prepare and file tax returns.
Despite Rossotti's assurances, Intrusion.com's Williams said he isn't convinced that the IRS's problems are over. "The only reason the IRS did not get hacked last year is because it wasn't interesting enough to hackers," said Williams. "Guess what -- it is now. And now the IRS is racing against the exploits."
Related stories:
- IRS connects agents with expanded VPN, Feb. 5, 2001
- GAO: Federal IT systems still vulnerable to attack, misuse, Jan. 17, 2001
- Analyst report, IRS: More people filing taxes online, April 17, 2000
Related links:
- For more security coverage, visit our Security Watch page.
- Have opinions on security issues? Head to the Computerworld security forum. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).