March 16, 2001, 1:15 PM — The U.S Internal Revenue Service (IRS) failed to implement adequate security to
protect online tax filers' data during the 2000 filing season, concludes a new
report from the government's watchdog agency.
Neither the IRS' electronic filing system nor its electronically transmitted
tax return data were secure from being viewed or tampered with, according to
the new report released Thursday by the U.S. General Accounting Office (GAO).
GAO officials were able to show that unauthorized users both internally and
externally to the IRS could gain access to the IRS' electronic filing systems,
the report states.
IRS officials plugged the holes in the IRS tax filing system security prior
to this year's tax filing season.
"As noted by the General Accounting Office, there were some e-filing areas
that needed strengthening during last year's filing season," said IRS Commissioner
Charles O. Rossotti, in a statement. "When the findings came to our attention,
the IRS moved swiftly to implement these changes."
The IRS has completed action on all critical security areas recommended by
the GAO, Rossotti said. In January of this year, the IRS system reached full-security
certification under federal government guidelines, he said.
During 2000, the IRS reported that more than 35 million individual taxpayers,
about 20 percent more than the year before, filed their returns electronically
with the IRS' e-file program. The number represents about 28 percent of all
individual returns for the 2000 filing season, the GAO said.
The IRS has a goal of receiving 80 percent of all tax returns electronically
by 2007. The IRS only takes online returns through authorized tax preparers
working with the IRS, like H&R Block Inc.
The GAO report makes five critical points about the IRS' security during 2000.
-- The IRS did not effectively restrict external access with its firewall and
similar perimeter defenses.
-- IRS officials did not securely configure the operating system on its e-file
system. GAO officials were able to use several "risky and unnecessary services"
that could have aided in intrusion.
-- The IRS had not implemented adequate password management and user account
practices. The GAO identified weaknesses in the confidentiality and complexity
of the IRS' passwords and the administration of user accounts.
-- Sufficient restrictions were not in place for access to computer files and
directories containing tax return and other system data.
-- The IRS did not encrypt tax return data while the data was stored on e-file
computers, despite the Internal Revenue Manual requiring the practice.