IRS computers are still running the 13-year old Microsoft (NYSE:MSFT) Windows XP operating software which Microsoft stopped supporting a year ago with security updates. Even the agency’s fraud-catching software is two decades old. The outdated software may have played a role in the breach the IRS announced last week in which thieves hacked into the agency’s online service and gained access to more than 100,000 taxpayer accounts.
The criminals used personal data obtained from other sources, including Social Security numbers, street addresses and dates of birth to get into the IRS’ “Get Transcript” service. The service was subsequently shut down. The thieves gained access to tax returns and other tax information on file with the IRS.
During an IRS budget hearing in April before the House Financial Services and General Government Committee, the chairman, Rep. Ander Crenshaw, questioned why the agency had been so slow to upgrade to Windows 7. “Now we find out that you’ve been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014,” the Congressman said. “I know you probably wish you’d already done that.”
IRS Commissioner John Koskinen has said budget cuts have kept the service from upgrading, telling Congressional members that “we still have applications that were running when John F. Kennedy was president.”
The news comes as cold comfort to the tens of thousands of Americans who have had their identity stolen as a result of filing their taxes. And, the breaches can be no surprise to the IRS itself which has been warned repeatedly by the Government Accountability Office over limited security controls. In the most recent report, the GAO found 69 potential problems, including weak employee passwords.
The tax reporting agency is embroiled in several scandals. The agency used its powers to delay or deny non-profit status applications by groups with “tea party” and “patriot” in their names, an overreach of power that has led to a criminal investigation by the agency’s inspector general. Further, its aggressive hounding of small businesses, including seizing bank accounts of businesses the agency suspects of involvement in criminal activity was halted because of complaints late last year.