Audit: IRS ignored risks in deploying online filing system

Vulnerabilities were carried over across different stages of development, IG reports.

The Internal Revenue Service launched the latest version of its online tax-filing system despite known security gaps that could put taxpayer information at risk, according to an inspector general report released on Thursday.

The IRS identified 13 vulnerabilities during testing of the fourth release of its Modernized e-File system, but still deployed it in January 2007, the Treasury Inspector General for Tax Administration reported.

Both the e-file system and the database that stores returns and extensions lacked proper access controls and disaster recovery capabilities, auditors found. For example, security settings on the e-file system and database servers were not sufficiently restrictive, the IG said. In addition, unauthorized users gained direct access to the e-file system's management console, which houses administrative functions such as security and Web services configurations. The IRS also had not lined up an alternate processing site that could be used during emergencies.

"The significance of these security vulnerabilities is heightened, because the MeF system is a critical modernized system that will affect the future success of the IRS computing environment," the IG stated. "Until security control vulnerabilities are corrected, the IRS is jeopardizing the confidentiality, integrity and availability of an increasing volume of tax information for millions of taxpayers."

Auditors noted that "many of these same vulnerabilities have been designated as a bureauwide material weakness by the IRS." The IG identified similar security risks in previous reports, including a September 2008 audit of the systems that process taxes and give IRS employees access to taxpayer data.

According to Thursday's report, the IRS executive steering committee responsible for resolving tax processing issues checked off milestones as complete, despite the security vulnerabilities.

"We found that six of the security vulnerabilities mentioned previously were identified repeatedly during MeF system milestone reviews and were not corrected," the IG reported. "Rather, they were carried over from milestone to milestone, and some were even carried over from release to release."

The IRS' cybersecurity organization recommended fully accrediting the system despite the identified weaknesses, according to the report, and accreditation was approved.

In response to the IG, officials said that since the completion of the audit field work in August 2008, seven of the 13 security vulnerabilities identified were resolved, two were found to be invalid and two remained unresolved, one of which is expected to be fixed when a new release of the system is launched later in January. One weakness has been partially resolved, with the remaining actions to be completed in fiscal 2009, and another issue was transferred to a different organization within the IRS.

"We agree...that shortcomings remain in our processes and procedures in ensuring that security controls are implemented before systems are deployed, and we are expediting resolution of these shortcomings," said Terence Milholland, IRS chief technology officer, in a written response to the IG report. He also noted the agency's strong objection to public dissemination of information about the IRS' security vulnerabilities, claiming it "poses unnecessary and unacceptable risks to our national tax system and economic infrastructure."

The IG conducted the audit as part of the statutory requirement to review the adequacy and security of IRS information technology annually.