By Amber Kahwaji | Cronkite Newss
Arizona taxpayers’ financial and personal information at the Arizona Department of Revenue is vulnerable to computer-system attacks, and some employees failed to follow proper security measures, a state audit has found.
Auditors were able to gain “unauthorized access to sensitive taxpayer information” by using common information technology attack patterns, according to a 2015 Arizona Auditor General report.
The audit found:
– Employees gave their username and password in emails or over the phone to someone they believed was an IT specialist. Auditors practiced a common tool used by hackers called “phishing,” or gaining access to sensitive information in order to breach an IT system.
–Some file sharing folders had unrestricted access, allowing unauthorized employees ability to view tax returns with Social Security numbers, names and addresses.
– Some employees left out taxpayer information on computer screens, desks, copy machines and printers. One employee left “numerous taxpayer checks with banking information and other sensitive documents out in the open for at least 20 minutes.” Another employee left his desk without locking his computer screen.
– More than 85 percent of the revenue department’s IT systems had security “vulnerabilities” that include not updating software and hardware – even though the updates were readily available.
“We found that the department had various practices in place to help protect state taxpayer information. However, we were able to exploit common weaknesses in the department’s IT systems in order to gain access to sensitive information,” said Jeremy Weber, a performance audit manager who conducted the audit.
The report was released in September.
“Our findings did raise concerns that the department needed to improve its security practices to protect taxpayer information. However, these were common types of findings for agencies like the Department of Revenue,” Weber said.
The revenue department handled more than 5.7 million taxpayer documents in fiscal 2015, and its access to taxpayer’s’ financial and other personal information makes it a potential target of IT attacks, according to the audit.
It’s happened before in other states. Tax departments in Utah and South Carolina had security breaches that led to millions of dollars spent on programs, such as credit recovery services, to help taxpayers whose information had been compromised.
“One consequence of that is now there’s a hole in your system that just exists. It would be like in your home leaving a window open and unlocked. By itself it doesn’t cause a problem, it’s when a bad guys sees that open window and then decides to break into your house through that,” said Adam Doupe, assistant professor at ASU in Computer Science.
The revenue department does practice security measures that include having security guards or police, cameras and metal detectors at its four buildings, separating employee areas from publicly accessible areas and shredding documents in locked boxes.
And staff in the department’s Process Administration Division, which deals with the highest volume of taxpayer information, routinely follow the department’s “clean desk” policy to not leave information in plain sight, according to the audit.
Officials at the revenue department declined to comment, but told auditors they were putting some recommendations in place, according to the report. Changes include regularly assessing and correcting IT vulnerabilities and updating and maintaining software and hardware.
The audit department will follow up in March with the Department of Revenue to determine whether the audit’s recommendations have been implemented. In the end, taxpayers may have to accept that some risk is normal, ASU’s Doupe said, because no organization or technology can be 100 percent secure.
“I can’t say that professionally I’m shocked because I know this happens all over the place. A lot of organizations are vulnerable,” Doupe said.