IRS Audit Finds Security Vulnerabilities

A regular audit by the GAO (Government Accountability Office) recently found over 14 data security vulnerabilities in the IRS’ IT infrastructure and financial reporting systems. This is in addition to the 87 security and control deficiencies and over 150 recommendations uncovered by a 2018 investigation, only half of which were repaired by deadline. Although the IRS has taken considerable steps to bring its systems up to par, a total of 127 issues remain outstanding.

The audits are a legacy of a 2015 data breach that exposed the sensitive personal information of more than 100,000 taxpayers. GAO Director of Financial Management and Assurance Cheryl E. Clark and Managing Director of Applied Research and Methods Nancy R. Kingsbury sent a letter to IRS Commissioner Charles P. Rettig delineating the security risks at length.

Most of the problem consisted of eight access point control issues that could enable extensive unauthorized access into IRS programs and data. The remaining weaknesses included a lack of encryption for email, servers and contingency plans, as well as identification and authorization concerns. Some specific examples of the IRS’ security vulnerabilities include:

  • A lack of password expiration dates
  • Individual users could access agency tax processing databases even when it was not necessary
  • A non-administrator present in at least 1 administrator account
  • Failure to regularly apply patches and updates to vendor-supplied software

The GAO urged the IRS to be more forthcoming about its strategy for tightening data security and protecting the public’s records. They further made a series of recommendations for better security at the tax agency, including more encryption and the increased use of electronic signatures to monitor changes in the IT system. They also recommended the agency issue certificates to have people electronically sign documents, as well as make use of multi-factor authentication.

The audits are a legacy of a 2015 data breach that exposed the sensitive personal information of more than 100,000 taxpayers. GAO Director of Financial Management and Assurance Cheryl E. Clark and Managing Director of Applied Research and Methods Nancy R. Kingsbury sent a letter to IRS Commissioner Charles P. Rettig delineating the security risks at length.

As the GAO put it, “Financial reporting and sensitive taxpayer data on IRS computer systems will remain vulnerable until the agency addresses the deficiencies for which we previously made 107 recommendations, as well as the 20 new recommendations.”

The Power of Encryption for Data Security

Our line of SecureDrives could easily protect the IRS and other organizations from vulnerabilities of the sort outlined here, access point problems in particular. We put hardware encrypted devices at the heart of security and control. Each drive has a crypto chip that is in line with the 256-bit Advanced Encryption Standard originally developed by NIST to protect government documents.

A hard drive protected by our system can only be accessed by those who know the password. Even physically breaking into the drive would be of little use to would-be hackers, since the drive remains encrypted even at rest. Moreover, the crypto chip would break if someone tried to dismantle the hard drive. There are two drive models, one with remote management capabilities that allow for geo- and time-fencing, remote wipe, and two-factor authentication, and another that requires physically entering a PIN via the wear-resistant keypad.

The SecureDrives provide customers with secure, user-friendly, and customized backup solutions. We were one of the first companies to receive SSAES 18 Type II certification, and we put data security and privacy protection at the heart of everything we do. Call us at 1-800-875-3230 to learn more.