Lax Security Found in IRS Electronic Filing System

Even as the IRS was assuring taxpayers last year that electronic filing of tax returns was secure, serious shortcomings existed that could have allowed hackers to view and even change information on returns, a government watchdog agency said.

The General Accounting Office found no evidence that hacking had occurred, but it said its investigators were able to gain unauthorized access to the tax agency’s electronic filing system, which will handle a third of all federal returns this year. The GAO cited the IRS for lax security controls and for not requiring encryption of electronic returns.

The report also said the IRS sent out $2.1 billion in refunds to taxpayers whose returns were not properly authorized.

Electronic filing allows taxpayers and tax preparers to send returns via computer modem to private, IRS-authorized companies, which then transmit the information to the tax agency.

The IRS, which has struggled to modernize its computer systems, said that it had fixed the most serious problems raised in the report and that it is studying whether to use encryption to boost security further.

IRS Commissioner Charles Rossotti said in a statement Wednesday that the agency had implemented a “sweeping set of changes and upgrades to add strengthened protection” to its electronic filing system in the last year.

“To put it simply, taxpayers can feel safe and secure using e-filing during this year’s filing season,” Rossotti said, noting that nearly 190 million returns had been safely filed electronically since 1986.

The GAO, however, said its review, conducted during last year’s tax season, showed that the IRS’ abilities to detect hacker attacks at the time were not adequate.

The GAO said the IRS needed to be more vigilant about security than most government agencies because of its high profile and the risks involved in handling sensitive taxpayer information. Taxpayers could suffer not only a loss of privacy but also financial losses if their data were used for crimes such as identity theft.

“Because of its role as the nation’s tax collector, the IRS computer system may be a target for certain individuals or groups,” the report said. “Our tests, which successfully identified and exploited weaknesses in the IRS’ e-file computers, were not sophisticated.”

The IRS has been dogged for years by allegations of potential security problems. In 1996, the agency had to scrap ambitious plans for an over-the-Internet filing system known as Cyberfile, in part because of security concerns.

In this latest report, GAO investigators said they were able to access a key electronic filing system using a common hand-held computer.

The GAO’s review found that the IRS failed to adequately safeguard information as it was being transmitted to the agency and after it had arrived in IRS computers.

The GAO said the tax agency should have more tightly restricted its own employees’ access to computer data, implemented better password procedures and more closely monitored the private companies that transmit electronic returns to the IRS.

The GAO also said the IRS refunded $2.1 billion to e-filing taxpayers who failed to adequately sign or authenticate their returns. Although the agency withholds refunds when paper returns are not signed, it sent out refunds to almost 1.2 million taxpayers who filed electronically but failed to use an IRS-issued personal identification number or to follow up the e-filing with a signature form as required by law, the GAO said.

The IRS has since changed its identification number system and said it would strengthen its procedures for making sure signature forms are filed when the identification number is not used.

The report comes as the IRS is using public service announcements on radio and television to tout electronic filing as a way for taxpayers to get their refunds faster.

Congress has required that 80% of all tax returns be filed electronically by 2007. Last year, 27% of returns were sent electronically. The IRS expects to reach 33% this year.

The IRS says e-filing is faster, less error-prone and safer than mailing in paper copies of tax returns. Paper copies must be input into IRS computers by agency workers, which slows the process and can lead to errors.

With electronic filing, however, a taxpayer’s return is first transmitted via computer modem to one of several private IRS contractors, which then send returns in large batches to the IRS. The system is supposed to further reduce errors by checking taxpayers’ math and matching Social Security numbers to individual records. If the return is problem-free, the agency accepts it and an electronic signal is relayed back to the taxpayer acknowledging receipt--although the GAO found that some errors were not caught.

The companies that handle e-filings are vetted by the IRS, which said it rejected 224 applications and suspended 703 companies last year because they failed “stringent suitability requirements.”

Those requirements may not be stringent enough, however. The GAO noted that the IRS still does not require most e-filing firms to submit to criminal background or fingerprint checks for employees and does not assess the firms’ computer security as part of its ongoing monitoring.

The GAO, an arm of Congress that investigates government operations, prepared the report at the request of Sen. Fred Thompson (R-Tenn.), a member of the Senate Finance Committee, which oversees the IRS.