Another security breach: IRS sent taxpayer data on unencrypted tapes

By Beth Pariseau, Senior News Writer
14 Jan 2008 | SearchStorage.com
http://searchstorage.techtarget.com/originalContent/0,289142,sid5_gci1293698,00.html?track=NL-
52&ad=620112&asrc=EM_NLN_2883514&uid=6625225 

Despite all the high-profile incidents in the past two years of lost backup tapes and other security breaches, the Internal Revenue Service (IRS) was exposing personal information on unencrypted tapes until last fall.

The IRS confirmed to SearchStorage.com that copies of its tax database were distributed to state agencies on unencrypted tapes before Sept. 30, 2007. A source at one state agency said the tapes were also sent using common carriers, such as FedEx.

The source, whose agency received the database information on a regular basis, said the IRS had formal guidelines for agencies to place the tapes behind three layers of physical security -- inside a locked box, for example -- and restrict access to "need-to-know" personnel. He added a fourth layer of physical security, but that still didn't make him feel comfortable. "These were standard IBM mainframe tapes," he said. "It didn't take anything special to read them."

The IRS said it now uses a secure FTP site to transmit federal tax information instead of tapes. In an email to SearchStorage, the IRS responded:

IRS implemented secure electronic transmission of federal tax information utilizing Tumbleweed Secure Data Transfer (SDT) and ceased all shipments of unencrypted tape media outside of the Service on September 30, 2007. All electronic media used within or sent outside of the IRS must be encrypted (CDs, floppy disks, flash drives etc.) Tape media is no longer being created or shipped.

When asked what would happen to the unencrypted media sent out prior to Sept. 30, the IRS declined comment.

According to the IRS' 106-page official tax information security guidelines for state agencies, "Agency officials and employees either will return … information … to the office that it was originally obtained [sic] or make the information 'undisclosable.' "

However, guidelines for sending back the information are vague. "Agencies electing to return IRS information must use a receipt process and ensure that the confidentiality is protected at all times during transport," according to the guidelines provided by the IRS. The written guidelines include more detail on destruction methods, but having a witness to the destruction is listed as a suggestion, rather than a requirement. "Generally, destruction should be witnessed by an agency employee … [during destruction by approved contractors] it is recommended that periodically the agency observe the process to ensure compliance."

Many storage experts are amazed that any organization would use unencrypted tape after a string of high-profile incidents of lost backup tapes and other security breaches over the past few years.

"You just think the federal government has this stuff figured out," said W. Curtis Preston, vice president of data protection services, GlassHouse Technology Inc. "I'm glad to hear they fixed this, but what else is out there? What else is going on like this that we don't know about and won't know about until someone breaks a story or drops a tape?"