- The Washington Times - Monday, November 18, 2013

A new cost-saving computer technology being implemented by the IRS has left the agency vulnerable to hacking, putting taxpayers’ info at risk, an investigative report has found.

“Virtual” servers, like other advances in cloud computing, allow several servers to run on a single physical host. It can save on money and electricity, tech experts say.

But although the IRS has developed cybersecurity guidelines, many of the servers aren’t following them, said a report by the agency’s internal watchdog, the Inspector General for Tax Administration.

In fact, the servers failed 43 percent of the tests investigators put them through, though they aren’t releasing what those tests and settings are due to security concerns.

Although the IRS Virtualization Project Office “has established processes to monitor its virtual infrastructure, we found that security configuration settings on hosts were not in accordance with IRS policy,” the IG said.

The potential for abuse could be much greater than in the past. The IG said that if hackers are able to breach one physical server, they could potentially have access to the information stored on all the virtual servers on that machine, too.

The IRS said some security practices have been temporarily placed on hold while they complete the upgrade.

“Because of the dynamic nature of such a major upgrade, we suspended some of our routine support practices and focused our resources on completing our upgrades in as short a time as possible,” a response from the agency said. “Once the upgrade is complete, we will not only resume our practices, but will also implement improvements to our support practices.”

Putting multiple virtual servers on a single physical one has allowed the IRS to save millions on hardware and upkeep. The agency currently has 5,399 virtual servers on 328 real ones, and estimates it is saving $51 million on costs.

But investigators also found that 63 percent of the servers were missing critical update patches. They also contended that records of the audits and evaluations of the systems were not properly tracked.