U.S. Senator Chuck Grassley (R-Iowa) said he plans to hold the Internal Revenue Service (IRS) accountable for its almost 500 missing or stolen laptops over the last three years during a Senate Finance Committee hearing next week. According to an IRS internal audit, many of the machines were likely holding unencrypted, sensitive taxpayer data.
"It's hard to see why this is still a problem when the IRS knew about it more than three years ago," Grassley said in a statement. "One stolen IRS laptop could put thousands of taxpayers in jeopardy. I plan to ask what the IRS is doing to fix this problem for good."
The audit, released last week, found "limited definitive information" on the number of taxpayers' affected. However, a separate test on 100 laptops currently in use by IRS employees determined 44 laptops contained unencrypted sensitive data on taxpayers and IRS employees. The audit also found other mobile computer devices, such as Flash drives with unencrypted data.
IRS Commissioner Mark W. Everson said in a statement the IRS is unaware of any identity-theft cases stemming from the loss of any laptops, but admitted the report correctly identified security shortfalls concerning the agency's laptops.
"The IRS is a field-based organization and our employees use laptops for day-to-day activity," Everson said. "These laptops, which typically have very limited data, had been routinely but not always encrypted."
Everson added that missing or stolen IRS laptops were historically treated as a loss of hardware and not a potential loss of taxpayer data and other personally identifiable information. "Clearly, this was not the proper response."
According to Everson, all but "roughly two dozen" IRS laptops have now been encrypted, and when a laptop is reported missing, "The process now assesses the potential information affected as well as the hardware loss."
In addition to lax encryption standards, the audit found the IRS struggling with usernames and passwords. Of the 44 unencrypted laptops tested, 15 had security weaknesses that could be exploited to bypass security access controls.
"We believe system administrators either incorrectly configured the computers upon deployment or did not correctly reset the controls after working on the computer."
The audit also revealed unencrypted backup data at four IRS off-site facilities. In one case, a non-IRS employee had full access to a storage area. In another example cited, envelopes and boxes with backup media were open and not resealed. "We attributed these weaknesses to a lack of emphasis by management," the audit states.
Everson said the IRS has emphasized employee training since last summer, as well as focusing on reporting incidents and increased accountability. "Protection of taxpayer data is a top priority of the IRS," he said. "The IRS has moved aggressively in this area since this issue was raised a year ago."