By Matt Hines
April 05, 2007
A new report filed by federal security auditors finds that that the
Internal Revenue Service has had almost 500 laptop computers lost or
stolen over the last three years, many of which were loaded with
sensitive taxpayer information.
In a memo authored by the Treasury Department's Inspector General for
Audit, Michael R. Phillips, investigators maintain that the IRS is not
adequately protecting taxpayer data on laptops and other portable
electronic media devices. The report contends that between 2003 and 2006
the IRS had some 490 laptops lost or stolen in 387 individual incidents.
In the missive, originally filed to IRS leaders on March 23, the
auditors said 176 of those incidents did not involve the potential
exposure of taxpayer data, but noted that the information of at least
2,300 individuals was stored on the other missing laptops.
The investigators said that they were unable to deduce whether taxpayer
information was exposed via 85 of the reported device losses, however,
it was confirmed that the personal information of at least 3,359
taxpayers was misplaced in the other incidents.
While chilling, the report does in fact show signs that the IRS has
slowed the loss of computing devices over the last few years. In Jan.
2002, the IRS admitted in a similar audit that it had lost or misplaced
some 2,332 laptops, desktops and servers over the previous 36 months.
According to the report, a large number of the missing laptops were
stolen from employees' vehicles and residences, with an additional 111
of the incidents occurring within IRS facilities.
Perhaps the most notorious loss of a laptop in the federal sector came
in May 2006 when a contractor working with the Department of Veterans
Affairs had a computer stolen from his home that carried the personal
data of an estimated 26.5 million people. The laptop was eventually
recovered by law enforcement officials.
In addition to failing to properly secure their devices in and out of
the office, the auditors said that some of the IRS' 100,000 employees
were not properly encrypting data on their machines or utilizing
adequate password protections.
Further, the auditors said that they conducted a test on 100 laptop
computers currently in use by IRS employees and determined that 44 of
the devices contained unencrypted sensitive data, including taxpayer
data and employee personnel data.
The IRS requires usernames and passwords on its laptops, but 15 of the
44 computers with unencrypted sensitive data also contained security
vulnerabilities that could allow for circumvention of those tools.
"As a result, we believe it is very likely a large number of the lost or
stolen IRS computers contained similar unencrypted data," the inspectors
wrote in the report. "Employees did not follow encryption procedures
because they were either unaware of security requirements, did so for
their own convenience, or did not know their own personal data were
The auditors also observed other computer devices, including as USB
flash drives, CDs, and DVDs on which sensitive data were not always
encrypted, and found in a test on the agency's off-site storage back-up
operations that at least four of the sites lacked sufficient data
At one location, non-IRS employees had full access to the storage
infrastrucutre and the agency's backup media, the report said. In
addition, envelopes and boxes with backup media onboard were left open
and not resealed.
At another back-up facility, a retired employee still retained full
access rights to sensitive data. and inventory controls for backup media
were found to be inadequate.
"We attributed these weaknesses to a lack of emphasis by management,"
the auditors wrote.
Another problem isolated in the report is a lack of consistent reporting
of device losses to the Treasury Department's Inspector General's office
and the IRS Computer Security Incident Response Center (CSIRC), both of
which are required to be notified in such incidents. Inadequate
coordination between the two groups made it harder to determine what
types of information were on each of the missing computers, according to
In their final recommendations, the auditors recommend that IRS leaders
refine their incident response procedures to ensure for better
understanding of any potential data exposure and more frequently remind
employees to use proper device security measures. The report also
contends that the agency should consider implementing a "systemic disk
encryption solution" on its laptops that does not rely on employee
interaction to protect sensitive information.
Phillips writes that IRS management agreed with all of his office's
findings, and most of its recommendations.
Subscribe to InfoSec News