As the deadline for filing U.S. tax returns draws nearer, a new reportreleased Thursday by the General AccountingOffice (GAO) may give some taxpayers pause about submitting theirreturns through the Internal Revenue Service (IRS) electronic filing program.
According to the study, which was commissioned by Sen. Fred Thompson(R-Tennessee) to evaluate the efficacy of computer networks used by the IRS tosupport its e-filing system, major security holes were left open during last year’s filing season.
The security problems could have compromised the personal data of taxpayers whofiled via telephone, or electronically through the agency’s tradingpartners, such as tax preparation giants H&R Block and Quicken.com.
During 2000, the IRS reported that 35 million individuals submitted returns through its e-file program. The number represented about 28 percent of all individual returns filed for the year.
“The IRS did not adequately secure access to its electronic filing systemsor to the electronically transmitted tax return data those systemscontained,” said the GAO, the investigative arm of Congress.
“We demonstrated that unauthorized individuals, both internal and external tothe IRS, could have gained access to IRS’s electronic filing systems andviewed and modified taxpayer data.”
No Hack Attacks
Although IRS Commissioner Charles O. Rossotti maintained, in a letter to theGAO, that there was “no evidence” the agency’s system had been broken into,the report uncovered that the IRS “did not have adequate procedures todetect such intrusions” during last year’s tax season.
In fact, the report said, the IRS failed to detect much of the testing byGAO investigators as they broke into the system. Examiners were also able toaccess a key electronic filing system using a common handheld computer.
However, Rossotti said that the study “does not differentiate between thelikelihood of the threats occurring and the risks associated with thethreats — resulting in the message unreasonably promoting undue concern.”
Rossotti said that the IRS has fixed many of the problems. “The IRSinitiated timely actions to strengthen important security controls when youraudit findings were brought to our attention,” Rossotti wrote to the GAO.
“As a result, the electronic filing systems now satisfactorily meet criticalfederal information security requirements to provide strong controls toprotect taxpayer data.”
Rossotti added: “Taxpayers can feel safe and secure using e-filing duringthe 2001 filing season.”
The GAO said it plans to examine the corrective measures undertaken by theIRS in a follow-up review.
Specifically, the GAO said it was able to gain access because the IRS hadnot restricted external access to its e-filing system through a strongfirewall. According to the GAO, the IRS also failed to securely configure the operating systems of its e-filing systems and did not sufficiently limit access to computer files and directories containing taxreturn and other system data. The GAO also said the IRS failed to use encryption to protect tax return data.
In addition, the report found that the IRS had not implemented an adequatepassword management system. It pinpointed what it called “serious weaknessesin IRS’s controls over the confidentiality and complexity of its passwords.”
For example, investigators were able to guess many passwords and found useridentification and passwords posted in public view at one facility.
The GAO also said it was necessary for the IRS to implement a long-termsecurity plan. “Ensuring that ongoing controls over electronic filing areeffective requires top-management support and leadership, disciplined processes, and consistent oversight,” said the report.
While privacy advocates have long clamored for stronger federal laws tosafeguard personal consumer information, the GAO said guaranteeingconfidentiality is particularly important for taxpayers, who disclose theirSocial Security numbers, dependents, income sources, deductions and expenseson income tax forms.
Disclosing such data to unauthorized individuals couldexpose taxpayers to identity theft, financial loss and damages, said the report.
In addition, the study said it is critical for the IRS to assess threats toits systems and monitor security controls on an ongoing basis since thenumber of taxpayers filing electronic returns is expected to grow.
The IRS has aggressively marketed its e-file option since Congresspassed the IRS Restructuring and Reform Act in 1998, which set a goal that80 percent of all returns would be filed electronically by 2007.
The GAO warned that efforts by the agency to reach that level must be”balanced with the need to adequately ensure the security, privacy andreliability of taxpayer and other sensitive information.”
The report addedthat failure to maintain adequate security over the IRS’ e-filing systemscould erode public confidence in electronically filing tax returns, therebyjeopardizing its ability to meet the 80 percent goal.