Washington — Government investigators hacked into the Internal Revenue Service computer system last year and gained access to Social Security numbers and other sensitive information from electronically filed tax returns, a congressional report said Thursday.
"We had the ability to access virtually everything that was included in an electronically filed return," said Bob Dacey, director of information security issues for the General Accounting Office and the author of the report.
The investigators were able to view taxpayer information because the IRS had not securely configured its operating systems, used adequate password management practices or required the encryption of electronic returns, the report said.
No real hackers have invaded the agency's e-file system, said Terry Lutes, director of electronic tax administration for the IRS.
"No penetration of the system occurred last year. It was government people, GAO people, doing it," Lutes said.
"We don't have any evidence that it happened, nor does IRS, but we do point out that the IRS did not have adequate controls to detect intrusions if they had occurred," Dacey said.
He added that IRS officials did not know investigators had invaded their files. "Their system controls did not detect our successful access to their systems," Dacey said.
In one instance, investigators got into a critical system using a common handheld computer, said the report, requested by Sen. Fred Thompson, R-Tenn., chairman of the Governmental Affairs Committee.
It also said the computer system lacked a good defense, such as a strong "firewall," to keep hackers out.
Investigators said the IRS did not use secure computer passwords. Investigators were able to guess many of the passwords used based on their knowledge of common ones, the report said.
Lutes said the IRS had corrected all of the problems cited and said its e-file system "is safe and secure for taxpayers to use this year."
Lutes would not elaborate, citing security concerns.
Dacey said the GAO would evaluate the modifications made by the IRS later this year.
Pete Sepp, a spokesman for the National Taxpayers Union, was not reassured. "Taxpayers who are counting on filing electronically may want to consider the GAO's report before doing so," Sepp said.
Electronic filing enables taxpayers and tax preparers to send returns through computer modem to IRS-authorized companies, which then transmit the information to the agency.
The report noted that 35 million individual taxpayers filed electronically last year, up 20 percent from the previous year. The IRS is projecting that 42 million tax returns will be filed this year.
A 1998 law established a goal that 80 percent of all tax and information returns be filed electronically by 2007.
On Capitol Hill, a House leader said he probably would seek additional studies on the issue.
"To tell me that somebody with a home computer or even a handheld computer can crash into this system and access my tax reports and alter them is a level of security that's absolutely inexcusable," said House Majority Leader Dick Armey, R-Texas.
The IRS is not the only agency grappling with this, Dacey said. "We have found similar types of problems in a number of agencies," he said.
A GAO report released in September said a fourth of the government's major agencies had computer security problems.
No comments
Commenting is turned off for this story.