IRS lost 490 notebooks, many with unencrypted data

The Treasury Department's Inspector General for Tax Administration has released a report on the Internal Revenue Service and found that 490 laptops had been reported stolen between January 2, 2003 and June 13, 2006. Unfortunately, because reporting procedures for stolen laptops were often not followed, there isn't a real way to know whether this number is accurate. "As a result, it is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and/or other fraudulent schemes," writes Michael Phillips, the author of the report. The IRS currently has more than 47,000 notebooks in operation, and has no doubt used many more than that over the last few years. The report does not suggest that the agency try to cut losses to zero, but instead that it take better precautions.

Inspectors found that "a large number of the lost or stolen IRS computers contain similar unencrypted data," and that employees routinely used flash drives, CDs, and DVDs to cart unencrypted data around with them. The report also points out that physical security is important. 111 laptops were stolen right out of IRS facilities and many of the remaining laptops were stolen out of vehicles or employee homes. The problems even extended to off-site data backups, where backup media were often unsealed and open to anyone in the building. IRS management has agreed with the findings of the Inspector General and has pledged to implement the report's recommendations. The report does note, however, that the IRS was warned about unencrypted data back in 2003 but did not take "adequate corrective actions."

News source: Ars Technica

Report a problem with article
Previous Story

Paul Thurrott: Windows XP Service Pack 3 Not Coming

Next Story

Turkey to block 'insulting' Web sites

13 Comments

Commenting is disabled on this article.

wow are they stupid.... i guess nobody learned anything since Boeing had one of their laptop stolen from an employee's car with 390k people working and retired info in it

All this recommendations from government agencies about how to prevent identity theft, yet they lost their machines with all that information there, sounds ironic

I'd sue the IRS for reckless behaviour and exposure of sensetive critical information to possible identity stealers.

If we're supposed to trust the government with our sensetive information then they should better have proper policy of dealing with it (encryption is just one measure).

goatsniffer said,
How do you lose 500 laptops?!

The same way Halliburton can overcharge by $100 million in Iraq and no one says anything.

Government workers and contractors are just as corrupt as anyone else. Maybe even more so! These people need to be watched. They want to spy on every aspect of our lives, yet they don't want anyone monitoring their activities? I say put prison ankle bracelets on all government employees, especially George W. Bush, and watch them 24/7.

currently available encryption software for corporations like this (and they should be required to use encryption, no question) is unbreakable and will be for some time. example PGP Desktop Professional for enterprises. A stolen notebook will reveal no information, unless you steal the owner with it and force him/her to reveal the key.
I find this terribly ignorant. It's like lending somebody your passport or bank account information and they just loose it, come on, what are they thinking?

frac

to be perfectly honest, 400-500 out of 47 THOUSAND over 3 years is not terrible. and restricting irs employees to desktop workstations is not rational. IRS employees need to travel and work from home just like other people do.

to be perfectly honest, if someone was looking to steal an IRS laptop specifically, not just happen to be in the right place at the right tme and not really know what they where snatching. they will. regardless of who you give them to or how you keep your watchful eye on it. if someone is determined enough to get an individuals laptop, they will. same goes for encryption, if its financially viable for someone to get through the encryption, they will. but chances are these 500 stolen laptops are simply chance. not hatched master plans to aquire irs data. simple encryption will thwart these average thievs and essentially render the laptop useless, or force the thief into replacing the HDD to have a usable laptop.

its like a lock on your front door. does it REALLY keep thievs out? no. it just keeps the honest people honest. i doubt most common thievs would know what to do with an irs personel DB anyway! they just want the friggin free laptop.

Nose Nuggets said,
to be perfectly honest, 400-500 out of 47 THOUSAND over 3 years is not terrible.

It is terrible when I as a tax payer have to help pay for those stolen laptops or the unencrypted information is used for other purposes. It's a tad stupid to keep sensitive information in an unencrypted form but it's the government so they're not that smart.

BAN THE IRS.

same goes for encryption, if its financially viable for someone to get through the encryption, they will.

Wasn't there an article a while back saying it would take several millennia to break the strongest current encryption schemes? Anyway it's extremely irresponsible for them to have sensitive data on a laptop and not have it encrypted.

Ravensworth said,

Wasn't there an article a while back saying it would take several millennia to break the strongest current encryption schemes? Anyway it's extremely irresponsible for them to have sensitive data on a laptop and not have it encrypted.

With current technology maybe. But who knows? Maybe in the next week someone finds a way to break it in 2 mins?

But yes, I agree with you that they should encrypt data like this.

People usually take greater care of their own personal belongings and don't leave them in situations which result in theft. The blatant disregard of IRS employees to allow theft of laptop units in this quantity should be reason enough to deploy stricter policies and hold employees responsible. On the other hand, why is critical date being stored on laptops, why do IRS workers need to be mobile, this data needs to be confined to workstations connected to a central dbms, not floating around on unsecure laptops.