Saturday, April 07, 2007

IRS still losing laptops

IRS still losing laptops
Matt Hines
Thu Apr 5, 5:15 PM ET






A new report filed by federal security auditors finds that that the Internal Revenue Service has had almost 500 laptop computers lost or stolen over the last three years, many of which were loaded with sensitive taxpayer information.

[ Read about the GAO's report on the IRS in the Zero Day Security blog. ]

In a memo authored by the Treasury Department's Inspector General for Audit, Michael R. Phillips, investigators maintain that the IRS is not adequately protecting taxpayer data on laptops and other portable electronic media devices. The report contends that between 2003 and 2006 the IRS had some 490 laptops lost or stolen in 387 individual incidents.

In the missive, originally filed to IRS leaders on March 23, the auditors said 176 of those incidents did not involve the potential exposure of taxpayer data, but noted that the information of at least 2,300 individuals was stored on the other missing laptops.

The investigators said that they were unable to deduce whether taxpayer information was exposed via 85 of the reported device losses, however, it was confirmed that the personal information of at least 3,359 taxpayers was misplaced in the other incidents.

While chilling, the report does in fact show signs that the IRS has slowed the loss of computing devices over the last few years. In Jan. 2002, the IRS admitted in a similar audit that it had lost or misplaced some 2,332 laptops, desktops and servers over the previous 36 months.

According to the report, a large number of the missing laptops were stolen from employees' vehicles and residences, with an additional 111 of the incidents occurring within IRS facilities.

Perhaps the most notorious loss of a laptop in the federal sector came in May 2006 when a contractor working with the Department of Veterans Affairs had a computer stolen from his home that carried the personal data of an estimated 26.5 million people. The laptop was eventually recovered by law enforcement officials.

In addition to failing to properly secure their devices in and out of the office, the auditors said that some of the IRS' 100,000 employees were not properly encrypting data on their machines or utilizing adequate password protections.

Further, the auditors said that they conducted a test on 100 laptop computers currently in use by IRS employees and determined that 44 of the devices contained unencrypted sensitive data, including taxpayer data and employee personnel data.

The IRS requires usernames and passwords on its laptops, but 15 of the 44 computers with unencrypted sensitive data also contained security vulnerabilities that could allow for circumvention of those tools.

"As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," the inspectors wrote in the report. "Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive."

The auditors also observed other computer devices, including as USB flash drives, CDs, and DVDs on which sensitive data were not always encrypted, and found in a test on the agency's off-site storage back-up operations that at least four of the sites lacked sufficient data encryption. At one location, non-IRS employees had full access to the storage infrastrucutre and the agency's backup media, the report said. In addition, envelopes and boxes with backup media onboard were left open and not resealed.

At another back-up facility, a retired employee still retained full access rights to sensitive data. and inventory controls for backup media were found to be inadequate.

"We attributed these weaknesses to a lack of emphasis by management," the auditors wrote.

Another problem isolated in the report is a lack of consistent reporting of device losses to the Treasury Department's Inspector General's office and the IRS Computer Security Incident Response Center (CSIRC), both of which are required to be notified in such incidents. Inadequate coordination between the two groups made it harder to determine what types of information were on each of the missing computers, according to the report.

In their final recommendations, the auditors recommend that IRS leaders refine their incident response procedures to ensure for better understanding of any potential data exposure and more frequently remind employees to use proper device security measures. The report also contends that the agency should consider implementing a "systemic disk encryption solution" on its laptops that does not rely on employee interaction to protect sensitive information.

Phillips writes that IRS management agreed with all of his office's findings, and most of its recommendations.












Copyright © 2007 Yahoo! Inc. All rights reserved.

0 Comments:

Post a Comment

<< Home