IRS Network Has Insecure Web Servers

The Internal Revenue Service has thousands of insecure, unauthorized Web servers connected to its network, putting taxpayer information at risk.

A report by the Treasury Inspector General for Tax Administration found that the IRS network has 1,811 internal Web servers that had not been approved to connect to the network, and 2,093 internal Web servers that had at least one security vulnerability. "These unauthorized and insecure Web servers placed both the computers and the entire IRS network at risk of unauthorized access to taxpayer and personally identifiable information," said the report.

TIGTA acknowledged that some of the unauthorized Web servers could be legitimate and support IRS operations, but added there was a risk that the servers were being used for non-business purposes. Some of the servers were unintentionally running Web services.

In response to the findings, the IRS plans to disconnect unauthorized Web servers from the network. Its Computer Security Incident Response Center will also perform quarterly security assessment scans to measure compliance with security requirements.