By Martin H. Bosworth

April 6, 2007
More bad news for the IRS as tax time approaches -- an audit performed on the Internal Revenue Service (IRS) by the Treasury Department's Inspector General found that the IRS has lost 490 computers between 2003 and 2006, and that the personal information of roughly 2,359 taxpayers is at risk as a result.

Moreover, the report found the IRS had poor security practices for protecting its machines, including easy-to-guess passwords and weak or no encryption, and that the total amount of exposed taxpayer data is difficult to estimate.

Deputy Inspector General Michael Phillips and his team performed inspections of 100 laptop computers in use at the IRS. Of those laptops, 44 contained sensitive, unprotected information on agency personnel and taxpayers. Many of the examined laptops had simple username and password combinations, making them easy to access.

"[W]e believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," Philips said in the report. "Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive."

Among the report's findings:

• 111 laptop computers were lost or went missing from IRS offices between 2003 and 2006, the highest overall percentage of the total of missing computers. The audit found 89 instances of laptops lost or taken from vehicles, and 35 instances of laptops taken from residences.

• Of the 100 employees interviewed for the audit, 20 had portable "flash drives" or memory sticks that they stored data on without using any encryption, and 54 of the employees stored sensitive data on CD's, DVDs, and floppy disks.

• Several of the examined computers were set to boot up from locations other than the primary hard drive, such as a CD drive, which enables any user with operating software to operate the computer and bypass password protection.

The Treasury IG noted that the IRS was already taking steps to address its concerns and implement its recommendations, chiefly centering on more stringent education and training in protecting sensitive information and securing laptops. IRS Commissioner Mark Everson told Computerworld that the issue of data security is a top priority for him and the agency.

"Historically, missing laptops were treated by us and [the Inspector General for Tax Administration] as a loss of IT hardware rather than as a potential loss of taxpayer data or personally identifiable information," Everson said. "Clearly, this was not the proper response."

The Government Accountabiliy Office (GAO) has issued several reports criticizing the IRS for failing to provide proper security procedures for its data, such as not limiting access privileges on machines containing sensitive data, and not ensuring training of employees in data security. The most recent report was issued on April 2.

One area of laptop theft protection the IRS does employ is in using remote systems linked to the computer to track it whenever it logs on to the Internet. Companies such as CyberAngel and Absolute have been ramping up their marketing efforts to government clients in order to get agencies using their laptop-tracking software.

The Treasury report is available as a free PDF download.