January 23, 2006

IRS says no data security breaches found

By Caroline Drees, Security Correspondent

WASHINGTON (Reuters) - The Internal Revenue Service said on
Monday it found no breaches of private taxpayer and bank
account information after a report last year said unauthorized
people may have accessed the data.

The U.S. tax agency, which processed more than 224 million
individual and business tax returns for 2004, launched the
probe after the Government Accountability Office said in April
that the IRS "routinely permitted excessive access" to the
computer files.

The IRS databases also include suspicious activity reports
from banks about possible terrorist or criminal transactions.

A team from the GAO, the investigative arm of Congress, had
been able to tap into the data without authorization and
gleaned information such as bank account holders' names, Social
Security numbers, transaction values and any suspected
terrorist activity.

It said the data was at serious risk of disclosure,
modification or destruction, prompting the IRS to investigate
whether any security breaches had actually occurred.

"The IRS has no evidence, after reviewing our audit logs,
and reviewing our processes and system configurations, that any
IRS data was improperly accessed by any unauthorized
individuals, either internal and external to the government,"
IRS spokesman Bruce Friedland said.

"To the best of our knowledge, there has never been an
external breach of our critical data systems. After the GAO's
2005 study, the IRS established a series of work teams to
review and address the various findings highlighted in the
audit. This process, addressing any potential security
weakness, continues," he said.

Details on how the IRS ruled out data security breaches
were not immediately available.

Friedland said the IRS's efforts to address security
concerns had resulted in the correction of numerous weaknesses
and the implementation of internal controls.

Among the data stored at the IRS are so-called suspicious
activity reports, which banks must file on transactions they
believe could be linked to money laundering or terrorism
financing. As their name suggests, the reports are filed based
on suspicions, not necessarily proof, and the vast majority
never lead to investigations or prosecutions.

Unauthorized access to the information held by the IRS
raises concerns about the privacy rights and civil liberties of
innocent banking clients as well as ordinary taxpayers.

Concerns about privacy violations through weak computer
security have been mounting in the United States over the past
year after a string of companies reported stolen or
misappropriated customer data, including Bank of America Corp.,
ChoicePoint Inc. and Reed Elsevier.