January 14, 2008 - The IRS and the Department of Homeland Security recently tied for second place as two most loathed federal agencies by the general public. Only FEMA beat them out, and only as a result of the agencies dismal performance in the aftermath of Hurricane Katrina. Within the past week, both the DHS and the IRS have received Congressional scolding for their lack of data security. The lack of action to protect the personal information of American's by both agencies is placing millions of us at risk for fraud and potential identity theft.

In the case of the IRS, a GAO report says that taxpayer records are vulnerable to hacking, disclosure or tampering. The GAO is the investigative agency for Congress. The report says that these vulnerabilities are a direct result of the IRS's failure to fix dozens of known security vulnerabilities in the agencies computer systems.

According to the report, the IRS continues to give too many people access to sensitive personal data belonging to tax payers, continues to use weak physical security protocols and fails to encrypt a wide variety of sensitive data. The report also sites differing security procedures from one IRS facility to the next, even though the agency has supposedly adopted a uniform security protocol.

In the case of the DHS, the House Oversight Committee has expressed its dissatisfaction with a website run by DHS. The site is supposed to give people who are erroneously placed on the agency's terrorist watch list with a means to clear their name. Over the past several months, thousands of people have registered on the site and several hundred have provided detailed information.

In February of last year a college student, Chris Soghoian, from the University of Indiana's School of Informatics found the site and blogged about it. None of the pages used to submit personal information on the site were encrypted. This means that any information submitted to the site was openly transmitted over the internet and vulnerable to theft. According to Soghoian, when he first looked at the site he thought it was actually used to launch phishing attacks.

As if the security breach by the DHS is not bad enough, it turns out that the website was built by an outside contractor who was awarded the government contract under questionable circumstances. The Congressional investigation found that a TSA employee, Nicholas Panuzio, wrote the requirements for the website. The investigation determined that the requirements could only be met by one company, Desyne Web Services of Boston.

As it turns out, Panuzio is a former employee of Desyne. He has also been friends of the company's owner since high school. Desyne has won approximately $500,000 in DHS contracts for various projects. This particular contract was for a little more than $48,000.

Rep. Henry Waxman (D-CA), chairman of the committee overseeing the investigation said in a statement, "It is mindboggling that TSA would launch a Web site with so many security vulnerabilities. The handling of this Web site goes against all good government contracting standards, reveals serious flaws in oversight, and potentially exposed travelers to identity theft."

According to the TSA, the matter has been investigated and the TSA has determined that no disciplinary action is warranted against Panuzio.

by Jim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Only registered users can write comments.
Please login or register.