The Internal Revenue Service (IRS) has not been doing enough to ensure that one of its vendors’ security and antivirus software is up to date, according to the agency’s internal watchdog.
A deep dive by the Treasury Inspector General for Tax Administration (TIGTA) into eGain found that the vendor neglected to install two critical and three high severity rated antivirus software releases, and that it was using an outdated version of the antivirus software for a year.
The Amazon Web Services GovCloud system holds the Taxpayer Digital Communications (TDC) platform, which allows taxpayers to securely send and receive documents from IRS agents as well as communicate with customer service representatives.
“Without effective security and access controls, the TDC platform is susceptible to data loss and manipulation as well as unauthorized access and disclosure of taxpayer data,” the TIGTA report says. “In addition, the TDC platform is vulnerable to human errors or actions committed with malicious intent. People acting with malicious intent can use their accesses to obtain sensitive information, commit fraud and identity theft, disrupt operations, and launch attacks against the IRS.”
After reviewing 175 vulnerabilities, TIGTA found that eGain took between 16 and 42 days to remedy four critical security risks. They also found that access to the platform became an issue: of the nearly 4,000 total users on the communications platform, 681 were not authorized.
The watchdog made eleven recommendations to the IRS Chief Information Officer, Nancy Sieger, including:
- Ensuring that the standard operating procedures are updated to require continuous monitoring security reviews;
- eGain upgrades antivirus software in a timely manner; and
- Users are both authorized and have access to the TDC platform.
Sieger agreed to all eleven recommendations and plans to execute them in phases – with the earliest phase to be completed as soon as Dec. 15.