Audit finds another cyber headache for IRS

Two years after leaving hundreds of thousands of accounts vulnerable to theft in the 2016 Get Transcript breach, officials at the IRS are still getting dinged for not doing enough to protect sensitive and personally identifiable tax data.

In a report released June 21, auditors focused on multiple failures by tax agency officials to follow security and privacy procedures around the Cybersecurity Data Warehouse (CSDW), which absorbed the same Get Transcript taxpayer account data that was left exposed in 2016.

"The IRS introduced new security weaknesses and risk to the CSDW when it began transferring taxpayer data from the Get Transcript application to the CSDW without following the established change management process," the audit read.

Following the breach, IRS officials made a decision to move personally identifiable information associated with Get Transcript to the data warehouse located at an enterprise computing center in Memphis, Tenn., in order to give their newly minted fraud analysis team easier access to the data.

While auditors found that the user access controls as well as the physical security procedures around the data warehouse and building were solid, IRS officials didn't follow established federal change management protocols. In particular, they failed to conduct a risk assessment for transferring the data, and they failed to notify the authorizing IRS official, who only learned from auditors during the investigation that the CSDW was now storing personally identifiable tax account information.

According to auditors, the agency did not update the security system plan or the privacy impact assessment for the warehouse to reflect the fact that it now housed sensitive taxpayer data, which could make it a bigger target for hackers.

Finally, IRS officials weren't implementing audit trails around access to the data that would allow them to track employee access and identify possible misuse or insider threats. Officials acknowledged the problem and instituted changes during the audit, with additional changes scheduled to be completed by January 2019.

The inspector general offered four recommendations for IRS CIO Gina Garza, including implementing more robust audit trails around employee access to data stored in the warehouse and ensuring "that employees are held accountable for not following established change management policies and procedures … thus putting PII at risk of exposure to unauthorized access."

Garza pushed back in a response attached to the audit, arguing that the warehouse already has appropriate security controls and that "this was not an issue of holding employees accountable." Shestressed that "at no time was PII at risk of exposure through the CSDW implementation."

Auditors responded that "adding PII to an information system is a significant change in the operating environment that needs to be addressed in a risk assessment."