The Treasury Inspector General for Tax Administration has released The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices (2007-20-048).
IRS employees reported the loss or theft of at least 490 computers between January 2, 2003, and June 13, 2006. No organization is impervious to theft or loss of computers, especially an organization as large as the IRS with approximately 100,000 employees. Many incidents cannot be prevented, but employees can reduce the risk by taking precautions. For example, because a large number of laptop computers were stolen from vehicles and employees’ residences, employees may not have secured their laptop computers in the trunks of their vehicles or locked their laptop computers at home. Further, because 111 incidents occurred within IRS facilities, employees were likely not storing their laptop computers in lockable cabinets while the employees were away from the office.
IRS procedures require employees to report lost or stolen computers to the IRS Computer Security Incident Response Center (CSIRC) and to the Treasury Inspector General for Tax Administration (TIGTA) Office of Investigations. Employees reported the loss or theft of at least 490 computers and other sensitive data in 387 separate incidents. Employees reported 296 (76 percent) of the incidents to the TIGTA Office of Investigations but not to the CSIRC. In addition, employees reported 91 of the incidents to the CSIRC; however, 49 of these were not reported to the TIGTA Office of Investigations. Coordination was inadequate between the CSIRC and the TIGTA Office of Investigations to identify the full scope of the losses.
We found limited definitive information on the lost or stolen computers, such as the number of taxpayers affected, when we conducted our review. However, we conducted a separate test on 100 laptop computers currently in use by employees and determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data. As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data. Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive. We also found other computer devices, such as flash drives, CDs, and DVDs, on which sensitive data were not always encrypted. We reported similar findings in July 2003, but the IRS had not taken adequate corrective actions.
In addition to encryption solutions to protect sensitive data on its laptop computers, the IRS requires controls, such as usernames and passwords, to restrict access to laptop computers. However, 15 of the 44 laptop computers with unencrypted sensitive data had security weaknesses that could be exploited to bypass these security controls. We believe system administrators either incorrectly configured the computers upon deployment or did not correctly reset the controls after working on the computers.
We also evaluated the security of backup data stored at four offsite facilities. Backup data were not encrypted and adequately protected at the four sites. For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media. Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006. Also, inventory controls for backup media were inadequate. We attributed these weaknesses to a lack of emphasis by management.