Skip to main content

IRS

Report Says IRS Computers Exposed to Hackers

In a new report released by the Treasury Inspector General for Tax Administration (TIGTA), the IRS has been sharply criticized for failing to update the Windows operating system on its computers in a timely fashion. The foul-up exposed sensitive ...

irs hacked 1  56257e6abcecb

In a new report released by the Treasury Inspector General for Tax Administration (TIGTA), the IRS has been sharply criticized for failing to update the Windows operating system on its computers in a timely fashion. The foul-up exposed sensitive taxpayer information to hackers and hampered IRS practices.

The new report “Inadequate Early Oversight Led to Windows Upgrade Project Delays” (TIGTA Ref. No. 2015-20-073, 9/28/15) was conducted by TIGTA to review IRS’ efforts to upgrade the operating system on its Windows workstations and servers. The audit was included in TIGTA’s annual plan for Fiscal Year 2015 (FY21015).

Operating systems are essential for the use of computers. When an operating, system such as Windows reaches the end of its life, the company – in this case, Microsoft – stops supporting the system, leaving it vulnerable to attack. For the IRS, an outdated operating system may expose taxpayer information to unauthorized disclosure, which could lead to identity theft. Furthermore, network disruptions and security breaches may prevent the IRS from doing its job, including processing tax returns, issuing refunds and answering inquiries.

TIGTA found that the IRS had not accounted for the location or migration status of approximately 1,300 workstations and upgraded only about one-half of its Windows servers from the 2003 software version to the 2008 release. Going back to April 2011, when the IRS started the Windows workstation upgrade project, the agency spent approximately $128 million to upgrade its Windows workstations. It expects to lay out an additional $11 million through the end of FY2015.

Significantly, TIGTA claimed the IRS did not follow established policies over project management and provided inadequate oversight and monitoring of the Windows XP upgrade early in its effort. After running the numbers, TIGTA made the following three recommendations the IRS.

  1. Ensure that all workstations have been adequately accounted for and upgraded to Windows 7.
  2. Ensure that enterprise-wide information technology maintenance and upgrade efforts going forward follow the Enterprise Life Cycle, as prescribed by IRS policy, to mitigate potential delays and to ensure project transparency and accountability.
  3. Require appropriate Executive Steering Committees to oversee enterprise-wide information technology maintenance and upgrade efforts with regular project reviews and executive approvals.

The IRS fully agreed with two of the recommendations. First, it said it has accounted for all workstations that still need to be upgraded to Windows 7 and plans to track them until completed. Second, it plans to ensure that enterprise wide upgrade efforts receive adequate oversight.

On the recommendation that large-scale upgrade projects should follow the Enterprise Life Cycle, the IRS was only in partial agreement. It disagreed that all upgrade efforts should follow the Enterprise Life Cycle, but agreed that large-scale, enterprise-wide efforts require a set of well documented minimum project documentation requirements to ensure that effective project management is adhered to for projects of this size.

To read the entire TIGTA report, including the analysis and the IRS’ response, go to https://www.treasury.gov/tigta/auditreports/2015reports/201520073fr.pdf.