Paul L. Caron

Wednesday, June 3, 2015

TIGTA: IRS Ignored Recommended Security Upgrades That Would Have Prevented Last Week's Hack Of 100,000 Taxpayer Accounts

ID TheftFollowing up on last week's post, GAO, TIGTA Warned Of IRS's Lax Computer Security For Years Before Hack Of 100,000 Taxpayer Accounts On IRS Website:  Washington Post, IRS Failed to Address Computer Security Weaknesses, Making Attack on 104,000 Taxpayers More Likely, Watchdog Says:

A government watchdog told lawmakers Tuesday that the Internal Revenue Service has failed to put in place dozens of security upgrades to fight cyberattacks, improvements he said would have made it “much more difficult” for hackers to gain access to the personal information of 104,000 taxpayers in the spring.

“It would have been much more difficult if they had implemented all of the recommendations we made,”  J. Russell George, the Treasury Inspector General for Tax Administration, told the Senate Finance Committee at a hearing on the data breach, which the IRS says was part of an elaborate scheme to claim fraudulent tax refunds.

George and IRS Commissioner John Koskinen also said the thieves are operating a worldwide criminal syndicate that originates not just in Russia but in many other countries. ...

Internet security for the IRS has been the inspector general’s top concern since 2011. His investigators audit the agency’s security systems every year and suggest improvements. For example, they are now auditing the effectiveness of the process for authenticating data when Americans file their tax returns.

As of March, 44 of those upgrades had not been completed, including vital security patches, George said. Ten of the recommendations were made more than three years ago.

IRS News, Tax | Permalink


Mr. Wenzel: Fingerprinting and iris scans? Ain't gonna happen here. Religious and other civil liberties objections to such procedures would be litigated for the next 50 years.

Posted by: Old Hand | Jun 3, 2015 8:13:39 AM

It is my understanding the real problem is the IRS-IT refuses to upgrade to Microsoft Server and uses free Linux, which is easier to hack.

Posted by: Dale Spradling | Jun 3, 2015 7:32:39 AM

In Mexico, SAT (Mexican IRS) requires a one-time in-person visit so they can fingerprint you and take an iris scan. They then provide you with an e-token you can store on a USB or other media to digitialy sign your annual returns.

You don't need the e-token for monthly or quarterly filings - just for the annual.

Their entire online filing system is free and runs on Oracle. There is a wizard-basede version for end-users, and one with more features recommended only for tax experts.

Posted by: Doug Wenzel | Jun 3, 2015 5:58:27 AM