Some of the 2,200 databases that the Internal Revenue Service uses to manage and process taxpayer data are not configured securely, are running out-of-date software, and no longer receive security patches, according to a new government report.
The
“As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated,” said TIGTA Inspector General J. Russell George in a statement. “Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity.”
TIGTA used database vulnerability assessment software to conduct remote scans of the primary databases for 13 applications supporting critical tax administration business processes. Its review found high and medium risk vulnerabilities, as classified by the scanning tool in each of the 13 databases.
The IRS took exception to some of the implications of the report. "The IRS takes the security of our databases very seriously," said a statement forwarded by IRS spokesperson Julianne Fisher Breitbeil. "We want to be very clear that while this report points out a number of technical issues, many of which have been resolved, there is no direct assertion that any taxpayer data is at risk. In fact, it should be noted that many of the databases referenced in this report don't store any taxpayer data at all. The IRS emphasizes these databases are used internally and are not directly accessed by the public. Security enhancement is an ongoing investment as the external world changes. We continue to make substantial investments, and test our capabilities on an ongoing basis. It's also important to note there have been no actual data breaches involving these databases."
TIGTA made seven recommendations to improve database security in its report, to which the IRS agreed. The IRS disagreed, however, with TIGTA’s $1.1 million outcome measure related to the licensing of the IRS vulnerability scanning tool, but TIGTA maintains the appropriateness of the measure.
“We do not concur with TIGTA’s assertion that the purchase of DbProtect was an inefficient use of resources,” IRS chief technology officer Terence V. Milholland wrote in response to the report. “At the time of the purchase, DbProtect was the best available tool on the market and met the IRS’ immediate needs for a database scanning capability in response to TIGTA’s audit recommendations and was put into production use. However, ongoing costs and business requirements were the main reasons for changing to a new database scanning tool.”
