Boston, MA – In an audit released today, State Auditor Suzanne M. Bump cautions inadequate controls at the Massachusetts Department of Revenue (DOR) could make sensitive taxpayer data, including Social Security numbers and tax payment history, vulnerable to cyberattacks and inappropriate disclosure. In the audit, which examined July 1, 2016 through December 31, 2018, she lays out steps the agency should take to protect itself from these threats and improve its overall IT operations.
The audit found DOR was not prepared to respond to or mitigate cyberattacks it or its vendors face. The report notes DOR did not have procedures in place to guide its response to IT security incidents. Without developing, documenting, and testing these procedures, DOR likely will not be prepared to quickly respond to security incidents when they occur, which could lead to additional lost or compromised data. Additionally, it had not fully assessed the IT vulnerabilities facing third-party vendors that have access to personally identifiable information (PII), such as Social Security numbers. The failure to develop these plans and assess these risks increases the likelihood that sensitive data could be inappropriately accessed.
“The Department of Revenue has incredibly sensitive data about every taxpayer and business in the Commonwealth. Taxpayers have no choice but to provide this information to DOR, so it has a responsibility to do everything it can to keep it safe. If this information was improperly disclosed by the agency or one of its vendors, it could wreak havoc on the lives of millions of Bay State residents,” Bump said. “In recent years, we’ve seen what can happen when DOR does not properly protect this information. It is my hope this audit will lead to action at the agency.”
During the audit period, DOR faced a series of incidents that inappropriately exposed sensitive data. A data breach exposed the private information, including tax payment records and tax identification numbers, of approximately 39,000 business taxpayers. Additionally, computer problems delayed child support payments to approximately 1,500 parents. A different computer issue resulted in the agency accidentally sending out approximately 6,100 mailings related to child support payments, which includes Social Security numbers, to the wrong address.
Additionally, the audit calls on DOR to establish an IT strategy committee to oversee agency-wide technology services. It also encourages the department to update its interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) to clarify IT-related roles and responsibilities between the agencies.
In its response, DOR indicates it is taking steps to address the issues identified by the audit.
The audit notes DOR has designed and implemented a training program to protect PII and has policies supporting protection of this data.
DOR is an agency within the Executive Office for Administration and Finance and has four main divisions: Tax Administration, Child Support Enforcement, the Division of Local Services (DLS), and the Underground Storage Tank Program. DOR is primarily responsible for tax collection and overseeing child support orders, but also helps cities and towns manage their finances, through DLS.