AOH :: IS1264.HTM

Inspector General Report: Two IRS Applications Leave Taxpayer Data at Risk

Inspector General Report: Two IRS Applications Leave Taxpayer Data at Risk
Inspector General Report: Two IRS Applications Leave Taxpayer Data at Risk

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Kelly Jackson Higgins
Senior Editor
Dark Reading
OCTOBER 16, 2008

The Internal Revenue Service left taxpayer data exposed by deploying two 
major computer systems despite knowing that they harbor security 
vulnerabilities, according to a report [1] released publicly today by 
the Treasury Inspector General for Tax Administration (TIGTA).

The inspector general office says the IRS=E2=80=99s mainframe-based Customer 
Account Data Engine (CADE) for managing taxpayer accounts and its 
Account Management Services (AMS) for IRS access to taxpayer data 
contain flaws identified that the IRS identified but did not fix before 
rolling them out last year. The billion-dollar, high-sensitivity CADE 
system is one of the key elements of the IRS=E2=80=99s computer modernization 
program, and processed about 20 percent of the 142 billion tax returns 
filed to the IRS, according to the Associated Press.

CADE contains vulnerabilities that could lead to potential 
administrative privilege abuse, malware attacks, and unauthorized access 
to the system and its data. Among the other flaws highlighted in the 
report is a lack of configuration management, storage, and disaster 
recovery deficiencies, and no actual security guidelines or plans for 
connecting the system to other government agencies=E2=80=99 systems. The IRS 
also sends personally identifiable information from CADE within its data 
centers in clear text, and leaves its backup systems unencrypted.

AMS, meanwhile, includes taxpayer identification numbers in its 
application error log, and its operating system has only a 77.8 percent 
compliance rate with the required security settings, according to the 

TIGTA is unaware of any taxpayer data actually getting compromised or 
falling into the wrong hands, but the data was exposed on these systems, 
according to the agency. 



Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 

Site design & layout copyright © 1986-2014 CodeGods