IRS still losing laptops

A new report filed by federal security auditors finds that that the Internal Revenue Service has had almost 500 laptop computers lost or stolen over the last three years, many of which were loaded with sensitive taxpayer information.

[ Read about the  GAO's report on the IRS in the Zero Day Security blog. ]

In a memo authored by the Treasury Department's Inspector General for Audit, Michael R. Phillips, investigators maintain that the IRS is not adequately protecting taxpayer data on laptops and other portable electronic media devices. The report contends that between 2003 and 2006 the IRS had some 490 laptops lost or stolen in 387 individual incidents.

In the missive, originally filed to IRS leaders on March 23, the auditors said 176 of those incidents did not involve the potential exposure of taxpayer data, but noted that the information of at least 2,300 individuals was stored on the other missing laptops.

The investigators said that they were unable to deduce whether taxpayer information was exposed via 85 of the reported device losses, however, it was confirmed that the personal information of at least 3,359 taxpayers was misplaced in the other incidents.

While chilling, the report does in fact show signs that the IRS has slowed the loss of computing devices over the last few years. In Jan. 2002, the IRS admitted in a similar audit that it had lost or misplaced some 2,332 laptops, desktops and servers over the previous 36 months.

According to the report, a large number of the missing laptops were stolen from employees' vehicles and residences, with an additional 111 of the incidents occurring within IRS facilities.

Perhaps the most notorious loss of a laptop in the federal sector came in May 2006 when a contractor working with the Department of Veterans Affairs had a computer stolen from his home that carried the personal data of an estimated 26.5 million people. The laptop was eventually recovered by law enforcement officials.

In addition to failing to properly secure their devices in and out of the office, the auditors said that some of the IRS' 100,000 employees were not properly encrypting data on their machines or utilizing adequate password protections.

Further, the auditors said that they conducted a test on 100 laptop computers currently in use by IRS employees and determined that 44 of the devices contained unencrypted sensitive data, including taxpayer data and employee personnel data. 

The IRS requires usernames and passwords on its laptops, but 15 of the 44 computers with unencrypted sensitive data also contained security vulnerabilities that could allow for circumvention of those tools.

"As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," the inspectors wrote in the report. "Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive."