Complain about a product or service

IRS Loses Nearly 500 Computers Over Three Years

By Martin H. Bosworth
ConsumerAffairs.com

April 6, 2007

Income Tax • IRS Faulted for Lax Identity Theft Protection Efforts • IRS Loses Nearly 500 Computers Over Three Years • GAO: IRS Still Not Doing Enough to Secure Data • Taxpayer Advocate Targets IRS Collection Policies • IRS Scales Back Outsourcing Plans • December is Tax-Prep Time • IRS Has Refunds for 95,746 "Missing" Taxpayers • GAO: IRS Needs More Oversight of Private Debt Collectors • IRS Gives Away Millions Due To Failed Software Upgrade • New IRS Online Payment System Raises Privacy Fears • Taxpayers Can Get an Automatic Six-Month Filing Extension • April 15th Should Be Just Another Day, Taxpayer Groups Argue • "Tax Freedom Day" Three Days Late This Year • Senators Push for Electronic Tax Filing • Paying Taxes With Your Credit Card Can Get Expensive • GAO Finds Tax Preparers Prone to Error • Consumer Group to Taxpayers: Don�t Borrow Your Own Money • States Oppose IRS Plan to Loosen Privacy Rules on Taxpayers' Returns • More ...

More bad news for the IRS as tax time approaches -- an audit performed on the Internal Revenue Service (IRS) by the Treasury Department's Inspector General found that the IRS has lost 490 computers between 2003 and 2006, and that the personal information of roughly 2,359 taxpayers is at risk as a result.

Moreover, the report found the IRS had poor security practices for protecting its machines, including easy-to-guess passwords and weak or no encryption, and that the total amount of exposed taxpayer data is difficult to estimate.

Deputy Inspector General Michael Phillips and his team performed inspections of 100 laptop computers in use at the IRS. Of those laptops, 44 contained sensitive, unprotected information on agency personnel and taxpayers. Many of the examined laptops had simple username and password combinations, making them easy to access.

"[W]e believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," Philips said in the report. "Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive."

Among the report's findings:

• 111 laptop computers were lost or went missing from IRS offices between 2003 and 2006, the highest overall percentage of the total of missing computers. The audit found 89 instances of laptops lost or taken from vehicles, and 35 instances of laptops taken from residences.

• Of the 100 employees interviewed for the audit, 20 had portable "flash drives" or memory sticks that they stored data on without using any encryption, and 54 of the employees stored sensitive data on CD's, DVDs, and floppy disks.

• Several of the examined computers were set to boot up from locations other than the primary hard drive, such as a CD drive, which enables any user with operating software to operate the computer and bypass password protection.

The Treasury IG noted that the IRS was already taking steps to address its concerns and implement its recommendations, chiefly centering on more stringent education and training in protecting sensitive information and securing laptops. IRS Commissioner Mark Everson told Computerworld that the issue of data security is a top priority for him and the agency.

"Historically, missing laptops were treated by us and [the Inspector General for Tax Administration] as a loss of IT hardware rather than as a potential loss of taxpayer data or personally identifiable information," Everson said. "Clearly, this was not the proper response."

The Government Accountabiliy Office (GAO) has issued several reports criticizing the IRS for failing to provide proper security procedures for its data, such as not limiting access privileges on machines containing sensitive data, and not ensuring training of employees in data security. The most recent report was issued on April 2.

One area of laptop theft protection the IRS does employ is in using remote systems linked to the computer to track it whenever it logs on to the Internet. Companies such as CyberAngel and Absolute have been ramping up their marketing efforts to government clients in order to get agencies using their laptop-tracking software.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |