Security Gaps Could Let Hackers Edit Government Spending Data, Watchdog Says


New and old flaws in systems at a Treasury Department bureau added up to “a significant deficiency,” according to the Government Accountability Office.  

A number of security gaps in the Treasury Department’s financial reporting system could leave the door open for online bad actors to tamper with the government’s spending data, a congressional watchdog found.

The Government Accountability Office uncovered eight different flaws in the system used by the department’s Bureau of the Fiscal Service to check the accuracy of the annual financial reports it publishes for every government agency.

The new flaws, when combined with a handful of unresolved issues GAO previously identified within the bureau, could “increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations,” investigators wrote in a report published Tuesday.

The Fiscal Service Bureau is responsible for keeping tabs on the government’s debt and monitoring agencies’ revenue, spending, obligations and other fiscal behavior. Treasury relies on the bureau’s annual reports to inform decisions on managing debt, paying out interest and allocating temporary funds to agencies.

Though the shortcomings they uncovered didn’t affect the agency’s federal debt report in 2017, auditors said future inaccuracies could go undetected.

Of the eight flaws revealed in the audit, four could be exploited to illegally access and change financial data and resources, three could potentially allow for unauthorized changes to hardware and software security, and one involved the bureau’s risk management system. While no one glitch amounted to a major threat on its own, they collectively represent “a significant deficiency” in the bureau’s internal controls, GAO said.

Addressing these issues require the bureau to increase its focus on determining what risks exist in its system, designing controls to address the risks, and measuring the success of those controls, the report said.

Investigators also found the bureau had yet to fully correct 15 different deficiencies GAO identified in previous audits, including some the bureau said had already been addressed. The watchdog gave 10 recommendations for fixing new and existing issues in a separate report that was not made public.

In response to the restricted report, the bureau said, “it would continue to look for efficient and effective ways to improve and ensure the consistent application of agency-wide security controls over all systems.”