Computer security flaws

Wednesday, April 9, 2008 | 2:08 a.m.

An inspector general’s report says security controls for the Internal Revenue Service’s computer system are so lax that a disgruntled employee or contractor or even an outside hacker could access the system and the sensitive taxpayer information it contains.

The report released Monday by the Treasury Department’s inspector general for tax administration did not find any evidence of wrongdoing or theft from the estimated 137 million tax returns filed annually with the IRS. However, USA Today reports, the investigators’ review of the agency’s computer routers and data switches suggested that “an unscrupulous person” could divert data before they reached their intended destination.

Of the 374 accounts that allowed IRS employees and contractors to perform a system administrator’s duties, 141 had authorizations that were either expired or had never been properly set up.

What’s more, 34 other accounts which also were set up without proper authorization allowed IRS computer system access to multiple users for each account.

IRS officials agreed with the inspector general’s criticisms and recommendations and have promised to take steps to restrict access, USA Today reports. For example, an IRS employee’s computer access is to be locked after 45 days of inactivity and will be removed after 90 days of inactivity.

Also, the agency will limit the number of shared-user accounts and work harder to make sure that no unauthorized people have access to the computer control system.

While such aggressive action is warranted, it is a wonder that the IRS which collects and stores some of the most sensitive personal and financial data available on millions of Americans needed an inspector general’s report to take care of such security lapses. That access to the computer system’s overall operation and security controls should be highly restricted and limited should go without saying.