[ISN] Report: Contractors Upgrading IRS Systems Put Taxpayer Data At Risk

InfoSec News isn at c4i.org
Tue Jul 20 08:12:40 EDT 2004


http://www.informationweek.com/story/showArticle.jhtml;jsessionid=UH3N5BCMVPG50QSNDBGCKHY?articleID=23902174

By Mary Dalrymple
AP Tax Writer 
July 19, 2004 

WASHINGTON (AP) -- Private contractors revamping IRS computers
committed security violations that significantly increased the
possibility that private taxpayer information might be disclosed,
Treasury Department inspectors say.

An investigation by the department's inspector general for tax
administration found that employees working for contractors, or an
experienced hacker, could use the contractors' computers to gain
access to taxpayer data.

"Our concerns were increased when we could not find documentation that
all contractor employees had received background investigations as
required," the report said.

Other lapses left the IRS computer system vulnerable to viruses and
hackers, investigators said.

"In summary, a contractor's employees committed numerous security
violations that placed IRS equipment and taxpayer data at risk," the
report found. "In some cases, contractors blatantly circumvented IRS
policies and procedures even when security personnel identified
inappropriate practices."

In response, an IRS official acknowledged security problems but said
the agency found no evidence to support contentions that there was a
big risk that hackers could gain access to IRS computers or that
taxpayer confidentiality would be breached.

"We can find no evidence of contractor activities that resulted in
unrestricted access to production systems or taxpayer data," Daniel
Galik, chief of IRS mission assurance, wrote to inspectors. "In the
absence of documented incidents, we must conclude that much of your
assessment is based on theoretical possibilities."

The report comes as Congress considers giving the IRS authority to
hire private contractors to collect overdue tax debts, an effort that
has some lawmakers and others worried that taxpayer information won't
be protected.

"They obviously do not have good systems in place to monitor the
contractors today," said Colleen Kelley, president of the National
Treasury Employees Union. "This will result, for taxpayers, in very
aggressive tactics by debt collectors."

The employees' union obtained a copy of the report through the Freedom
of Information Act. Portions identifying the contractor, its
employees, and IRS personnel practices were not shown.

Treasury inspectors also found that after their auditors conducted the
exam and the security violations became known, the IRS granted the
contractor "root" access to the computer system. Root access gives a
user permission to make unlimited and unrestricted changes to any part
of the computer system, including the ability to turn off mechanisms
that monitor users' actions.

The inspectors raised additional concerns:

-- Unauthorized chat and instant-messaging activity left the IRS
   vulnerable to hackers who use those avenues to get information
   about an organization's internal computer architecture.

-- Contractors' computers were vulnerable to hackers and viruses
   because they did not have security patches for known
   vulnerabilities in operating software.

-- Some computers used by contractors were too old to support a secure
   operating system, and the IRS did not have enough money to replace
   them.

The inspector general reviewed four contracts last year in which
contractors had access to critical equipment and systems. The IRS has
over 900 contracts with private companies and consultants.





More information about the ISN mailing list