By Kevin Poulsen
May 13, 2008
Five workers at the Internal Revenue Service's Fresno, California,
return processing center were charged Monday with computer fraud and
unauthorized access to tax return information for allegedly peeking into
taxpayers' files for their own purposes.
"The IRS has a method for looking for unauthorized access, and it keeps
audit trails, and occasionally it will pump out information about who's
done what," says assistant U.S. attorney Mark McKoen, who's prosecuting
the cases in federal court in Fresno. "In general terms, IRS employees
are only authorized to access the accounts of taxpayers who write in.
They're not allowed to access friends, relatives, neighbors,
With tax return information just a few keystrokes away, IRS employees
succumb to curiosity often enough that the agency has its own word for
such browsing: UNAX, (pronounced you-nacks) , for "unauthorized access."
In congressional testimony last month, a Treasury Department
investigator said employee prying was on the rise, with 430 known cases
in 1998, and 521 last year.
"Whether the intent is fraud or simply curiosity, the potential exists
for unauthorized accesses to tax information of high-profile individuals
and other taxpayers," testified J. Russell George, the department's
Inspector General for Tax Administration. "The competing goals of
protecting this information and achieving workplace efficiencies become
even more difficult as technology becomes faster and more complex."
The five charged this week are Corina Yepez, Melissa Moisa, Brenda
Jurado, Irene Fierro and David Baker. Only 13 taxpayers were compromised
-- each worker allegedly peeked at one to four tax returns, in incidents
from 2005 through last year.
The age of some of the incidents suggests the Inspector General's office
is breaking out new algorithms to find anomalies in audit trails going
back years. The office declined to comment, as did the IRS.
Workers caught in a UNAX are typically subject to disciplinary measures
like unpaid leave, and less commonly charged with misdemeanor violations
of the Taxpayer Browsing Protection Act and the Computer Fraud and Abuse
Act. There were 185 such prosecutions from 1998 to 2007, with offenders
typically receiving probation.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com