TIGTA Audit Revealed Databases Used By IRS Not Configured Securely

A number of non-mainframe databases used by IRS to manage and process taxpayer data are not configured securely, are running out-of-date software, and no longer receive security patches, the Treasury Inspector General for Tax Administration (TIGTA) said in an audit released on June 23. (Audit Report No. 2011-20-044) The agency uses some 2,200 databases. Auditors also found that IRS had not fully implemented its plans to complete vulnerability scans of databases within its enterprise. In addition, IRS has not completely carried out its plans to finish vulnerability scans of its databases, the audit found. “As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated,” said J. Russell George, the inspector general. “Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity.” IRS concurred with seven recommendations made by TIGTA to improve database security. The audit can be found at http://www.treasury.gov/tigta/auditreports/2011reports/201120044fr.pdf.