The U.S Internal Revenue Service (IRS) failed to implement adequate security to protect online tax filers' data during the 2000 filing season, concludes a new report from the government's watchdog agency.
Neither the IRS' electronic filing system nor its electronically transmitted tax return data were secure from being viewed or tampered with, according to the new report released Thursday by the U.S. General Accounting Office (GAO). GAO officials were able to show that unauthorized users both internally and externally to the IRS could gain access to the IRS' electronic filing systems, the report states.
IRS officials plugged the holes in the IRS tax filing system security prior to this year's tax filing season.
"As noted by the General Accounting Office, there were some e-filing areas that needed strengthening during last year's filing season," said IRS Commissioner Charles O. Rossotti, in a statement. "When the findings came to our attention, the IRS moved swiftly to implement these changes."
The IRS has completed action on all critical security areas recommended by the GAO, Rossotti said. In January of this year, the IRS system reached full-security certification under federal government guidelines, he said.
During 2000, the IRS reported that more than 35 million individual taxpayers, about 20 percent more than the year before, filed their returns electronically with the IRS' e-file program. The number represents about 28 percent of all individual returns for the 2000 filing season, the GAO said.
The IRS has a goal of receiving 80 percent of all tax returns electronically by 2007. The IRS only takes online returns through authorized tax preparers working with the IRS, like H&R Block Inc.
The GAO report makes five critical points about the IRS' security during 2000.
-- The IRS did not effectively restrict external access with its firewall and similar perimeter defenses.
-- IRS officials did not securely configure the operating system on its e-file system. GAO officials were able to use several "risky and unnecessary services" that could have aided in intrusion.
-- The IRS had not implemented adequate password management and user account practices. The GAO identified weaknesses in the confidentiality and complexity of the IRS' passwords and the administration of user accounts.
-- Sufficient restrictions were not in place for access to computer files and directories containing tax return and other system data.
-- The IRS did not encrypt tax return data while the data was stored on e-file computers, despite the Internal Revenue Manual requiring the practice.
The GAO expressed concern that potential access to e-file computers could have given unauthorized access to other critical IRS systems. Rossotti notes, in a letter to the GAO that is part of the overall report, that no incidents were reported of intrusions to the IRS tax filing system in 2000.
The GAO report can be read at http://www.gao.gov/.