Watchdog: IRS relies on vulnerable software

An inspector general audit has found that the IRS is relying on outdated operating systems, potentially exposing taxpayer information to data breach and identity theft.

According to the report, the agency failed to upgrade all of its Windows workstations and servers by “end of life” deadlines, when Microsoft stopped providing support for the operating system the agency was using.

{mosads}“When an operating system reaches its end of life, companies such as Microsoft stop supporting the operating system, which leaves the systems vulnerable to attack,” the Treasury Inspector General for Tax Administration (IG) said. “For the IRS, the use of outdated operating systems may expose taxpayer information to unauthorized disclosure, which can lead to identity theft.”

“Further, network disruptions and security breaches may prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries,” the watchdog continued.

As of May, the report states, only about half of the IRS’s servers had been updated from the 2003 software to the 2008 release. Thirteen-hundred workstations were still running on outdated software.

“We believe that running workstations with outdated operating systems poses significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link,” the IG report reads.

“External hackers or malicious insiders need to locate only the one computer with security weaknesses, such as one with an outdated operating system, to exploit in order to steal data or further compromise other computers.”

The IG blamed poor project management for the delayed upgrade.

The watchdog slammed the agency for failing to follow “established policies over project management,” saying that it “provided inadequate oversight and monitoring of the Windows XP upgrade early in its effort.”

The IRS has been under fire for its cybersecurity practices after it revealed this year that hackers had accessed the old tax returns of more than 300,000 individuals, using the records to claim about $39 million in fake returns.

The IRS has often pointed to budget constraints as a chief reason it struggles to keep up with identity thieves.

In its 2016 budget request, the Obama administration has asked for $242 million in cybersecurity funding for the IRS — a 72-percent boost only distantly rivaled by a 23-percent requested increase to the Department of Health and Human Services’ information security funding.

Since the advent of the upgrade in 2011, the IRS has spent approximately $128 million to upgrade its Windows workstations, according to the IG report.

The agency expects to spend an additional $11 million through the end of this fiscal year, the report states.

The IRS disputed many of the claims in the audit, including the overarching critique of inadequate project management.

“During the critical implementation phase, the project received direct [chief technology officer] level oversight with IT and business executive leadership engagement,” the agency wrote in its response. “These practices enabled the IRS to dramatically increase the velocity of upgrades while minimizing risks and costs.”