Sen. Chuck Grassley, (R - Iowa) ranking member of the Committee on Finance, has expressed alarm over a new government report which has revealed just how vulnerable taxpayer data contained on employee laptops is to theft, fraud and other criminal abuses.
The report by the Treasury Inspector General for Tax Administration (TIGTA) found that hundreds of IRS laptop computers and other computer devices had been lost or stolen, employees were not properly encrypting data on the computer devices, and password controls over laptop computers were not adequate. TIGTA concluded that as a result, "it is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and/or other fraudulent schemes."
The report prompted harsh criticism from Grassley, the senior Republican on the Finance Committee, who commented that: “Thieves are very good at mining sensitive data for their own end. One stolen IRS laptop could put thousands of taxpayers in jeopardy. It’s hard to see why this is still a problem when the IRS knew about it more than three years ago."
The Finance Committee plans to hold a hearing this week to examine the issue of identity theft and fraudulent tax returns.
"I plan to ask what the IRS is doing to fix this problem for good," Grassley added.
The TIGTA report shows that theft of IRS computer equipment potentially containing sensitive information on thousands of taxpayers is running at alarmingly high levels. Between January 2, 2003, and June 13, 2006, IRS employees reported the loss or theft of at least 490 computers. A large number of IRS laptops were stolen from employees' vehicles and residences, but 111 incidents occurred within IRS facilities, where employees were likely not storing their laptop computers in lockable cabinets while they were away from the office.
While TIGTA said that it found limited definitive information on the lost or stolen computers, such as the number of taxpayers affected, a separate test on 100 laptop computers currently in use by employees determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data.
"As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," the report said.
According to TIGTA, employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive. The investigation also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted. Despite similar findings in 2003, TIGTA said that the IRS had "not taken adequate corrective actions" to reduce the problem.
TIGTA also evaluated the security of backup data stored at four offsite facilities and found that data was not encrypted and adequately protected at the four sites. For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media. Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when TIGTA inspectors visited in July 2006. Also, inventory controls for backup media were found to be inadequate.
"We attributed these weaknesses to a lack of emphasis by management," the report concluded..
IMPORTANT NOTICE: Wolters Kluwer TAA Limited has taken reasonable care in sourcing and presenting the information contained on this site, but accepts no responsibility for any financial or other loss or damage that may result from its use. In particular, users of the site are advised to take appropriate professional advice before committing themselves to involvement in offshore jurisdictions, offshore trusts or offshore investments.
All rights reserved. © 2013 Wolters Kluwer