Perils and Pitfalls of Online Tax Filing

According to the study, which was commissioned by Sen. Fred Thompson (R-Tennessee) to evaluate the efficacy of computer networks used by the IRS to support its e-filing system, major security holes were left open during last year's filing season.

The security problems could have compromised the personal data of taxpayers who filed via telephone, or electronically through the agency's trading partners, such as tax preparation giants H&R Block and Quicken.com.

During 2000, the IRS reported that 35 million individuals submitted returns through its e-file program. The number represented about 28 percent of all individual returns filed for the year.

"The IRS did not adequately secure access to its electronic filing systems or to the electronically transmitted tax return data those systems contained," said the GAO, the investigative arm of Congress.

"We demonstrated that unauthorized individuals, both internal and external to the IRS, could have gained access to IRS's electronic filing systems and viewed and modified taxpayer data."

No Hack Attacks

Although IRS Commissioner Charles O. Rossotti maintained, in a letter to the GAO, that there was "no evidence" the agency's system had been broken into, the report uncovered that the IRS "did not have adequate procedures to detect such intrusions" during last year's tax season.

In fact, the report said, the IRS failed to detect much of the testing by GAO investigators as they broke into the system. Examiners were also able to access a key electronic filing system using a common handheld computer.

However, Rossotti said that the study "does not differentiate between the likelihood of the threats occurring and the risks associated with the threats -- resulting in the message unreasonably promoting undue concern."

Taxpayers Safe

Rossotti said that the IRS has fixed many of the problems. "The IRS initiated timely actions to strengthen important security controls when your audit findings were brought to our attention," Rossotti wrote to the GAO.

"As a result, the electronic filing systems now satisfactorily meet critical federal information security requirements to provide strong controls to protect taxpayer data."

Rossotti added: "Taxpayers can feel safe and secure using e-filing during the 2001 filing season."

The GAO said it plans to examine the corrective measures undertaken by the IRS in a follow-up review.

Security Shortcomings

Specifically, the GAO said it was able to gain access because the IRS had not restricted external access to its e-filing system through a strong firewall. According to the GAO, the IRS also failed to securely configure the operating systems of its e-filing systems and did not sufficiently limit access to computer files and directories containing tax return and other system data. The GAO also said the IRS failed to use encryption to protect tax return data.

In addition, the report found that the IRS had not implemented an adequate password management system. It pinpointed what it called "serious weaknesses in IRS's controls over the confidentiality and complexity of its passwords."

For example, investigators were able to guess many passwords and found user identification and passwords posted in public view at one facility.

The GAO also said it was necessary for the IRS to implement a long-term security plan. "Ensuring that ongoing controls over electronic filing are effective requires top-management support and leadership, disciplined processes, and consistent oversight," said the report.

Gaining Ground

While privacy advocates have long clamored for stronger federal laws to safeguard personal consumer information, the GAO said guaranteeing confidentiality is particularly important for taxpayers, who disclose their Social Security numbers, dependents, income sources, deductions and expenses on income tax forms.

Disclosing such data to unauthorized individuals could expose taxpayers to identity theft, financial loss and damages, said the report.

In addition, the study said it is critical for the IRS to assess threats to its systems and monitor security controls on an ongoing basis since the number of taxpayers filing electronic returns is expected to grow.

Aggressive Goal

The IRS has aggressively marketed its e-file option since Congress passed the IRS Restructuring and Reform Act in 1998, which set a goal that 80 percent of all returns would be filed electronically by 2007.

The GAO warned that efforts by the agency to reach that level must be "balanced with the need to adequately ensure the security, privacy and reliability of taxpayer and other sensitive information."

The report added that failure to maintain adequate security over the IRS' e-filing systems could erode public confidence in electronically filing tax returns, thereby jeopardizing its ability to meet the 80 percent goal.