New IRS computer systems vulnerable.

Published 17 October 2008

The IRS is spending nearly $2 billion on two new systems which would more effectively handle the tax returns filed by $142 million Americans; Treasury IG finds vulnerabilities in both systems which would allow unscrupulous individuals to manipulate tax information — and do so undetected

The Department of the Treasury’s Inspector General for Tax Administration said Internal Revenue Service (IRS) officials failed to ensure that identified weaknesses had been addressed before putting the new systems into use. IG J. Russell George said it was “very troublesome” that the IRS “was aware of, and even self-identified, these weaknesses.” The IRS, in response, pointed out that the report says that the agency has taken steps to correct vulnerabilities and improve data security. The agency also said no tax payer has been harmed.

The IG report deals with the Customer Account Data Engine (CADE) and the Account Management Services (AMS) system, both of which are gradually being put to use. The first will provide the foundation for managing all taxpayer accounts, the second will provide faster and improved access by employees to taxpayer account data. CADE is expected to cost more than $1 billion through 2012. This year it has processed about 20 percent of the 142 billion returns filed. The AMS will cost more than $700 million to develop and maintain through 2024.

The IG said those in the IRS who allowed the partial deployment of the systems were aware of the systems’ vulnerabilities but did not consider these vulnerabilities important. The IG disputes this view, arguing that these vulnerabilities increased the risks that unscrupulous individuals could gain access to vast amounts of taxpayer information with little chance of detection and that systems could not be recovered effectively during an emergency. Specifically, administrators to the CADE system could access, modify, and delete information without being detected, that contractors could make changes to system configurations without approval, and that backup tapes from offsite storage facilities were not adequately tested to ensure that data would be restored without errors or losses. It said auditing controls for the AMS system were not sufficient to ensure that illegal browsing, changes, or theft of taxpayer files would be detected.