Earlier this month, the General Accounting Office (GAO) issued a report regarding the lack of security at the Internal Revenue Service (IRS). Before you fall off your chair laughing, read on because you may be at risk. Let's start with the good news. The GAO has stated that the IRS has made progress, correcting 49 of the 115 weaknesses identified in the 2008 audit. Some of the more critical issues resolved included controls for unauthenticated networks, encrypting sensitive data, patching critical vulnerabilities, and a needed update to the contingency plan.
What concerns me are the other 66 weaknesses that have not been addressed. These deficiencies include allowing any user on the IRS' network to have access to the IDs and passwords of their mission-critical applications, allowing users to create passwords that are not complex and are therefore easy to guess, granting excessive electronic access to individuals, and not removing separated employees' access in a timely manner.
There have been several high-profile breaches involving government computer systems over the past few years. In 2006, the Department of Energy was breached and 1500 names and Social Security numbers were taken. In 2007, the Oak Ridge National Laboratory was hacked and Social Security numbers and birth dates were taken. Representatives from the lab have not given the number of records taken, but if you were an employee or visited the lab between 1990 and 2004, your personal information may have been stolen. Also in 2007, the NOAA Web site was hijacked by spammers who pushed bogus pages to the site. The problem of hackers defacing government Web sites has become so bad that a Web site dedicated to the subject lists 19 sites that have been defaced during the past 27 days. Three of the sites were https sites. I don't expect government sites to be any less vulnerable than corporate sites. However, I do expect the government to be held to a higher standard. In the case of the IRS, Americans are mandated to give the agency their personal information. In turn, I expect the agency to take prudent measures to guard that information. With the tax deadline approaching in a couple of months and the IRS's lack of security, I am leery about sending in my personal information this year. Stay tuned, I may be writing this blog from jail.