GAO: Bank Secrecy Act data at risk of disclosure
Report says Treasury must do more to restrict unauthorized access to sensitive information.
Ineffective information security controls at an anti-fraud agency within the Treasury Department have left sensitive personal and financial data vulnerable to abuse, according to a Government Accountability Office report released on Friday.
Auditors found that Treasury's Financial Crimes Enforcement Network (FinCEN) allowed multiple users to share accounts to download data, maintained poor control of passwords and accounts, failed to restrict access to sensitive files and did not encrypt all sensitive data. In addition, security guards did not inspect laptop computers entering and exiting the FinCEN facility, increasing the risk that an unauthorized user could introduce malicious software or remove sensitive data without permission, the report (GAO-09-195) stated.
"As a result [1970 Bank Secrecy Act] data -- containing highly sensitive personal and financial information about private individuals that is used by the law enforcement community to identify and prosecute illegal activity -- are at an increased risk of unauthorized use, modification, or disclosure," GAO stated.
FinCEN uses its own computer systems, those of the Internal Revenue Service and the Treasury Communications System, to share information from currency transaction and suspicious activity reports with law enforcement and regulatory agencies, which use the data to investigate potential crimes such as money laundering and terrorist financing. FinCEN also maintains a Web portal through which other agencies can access the information.
GAO noted that in addition to the other weaknesses, FinCEN has yet to complete tests to ensure it can keep its systems running during a natural disaster or unexpected attack. Auditors also discovered that FinCEN's periodic scans of major systems for security weaknesses were "not always comprehensive or timely."
Additionally, FinCEN applied patches, or software updates, to the Web portal every three months rather than monthly as required. "Because the organization was not always applying patches in a timely manner, had not yet installed many critical patches, and had not upgraded software on all of its systems, data were unnecessarily vulnerable to compromise," GAO said.
The IRS has contributed to the problem as well, by failing to fully document changes to the baseline configuration of a database containing sensitive information. This introduces the possibility that system modifications might result in unintentional loss of data.
GAO recommended that FinCEN update its security policies with guidelines on prioritizing patches and system updates; inspecting outbound network traffic; and conducting quarterly vulnerability scans on all databases, applications and network components. In a written response, Treasury's chief information officer said the department will develop a detailed plan addressing the recommendations, and noted that many of the necessary fixes already are under way.
NEXT STORY: Silver Oak Leaves for Schlosser