The state Department of Revenue is leaving the “incredibly sensitive” private data of Massachusetts taxpayers exposed to cyberattacks and has not been prepared to respond to an attack or limit the damage if the agency is hacked, Auditor Suzanne M. Bump said in a report released Monday.
An audit that covers July 1, 2016, through Dec. 31, 2018, found that the department, which holds private data such as Social Security numbers and tax-payment histories, lacked procedures to guide its response to cyberattacks or other IT security incidents. And the agency had not taken steps assess the potential threats to taxpayer data posed by outside vendors who have access to personal information.
“The Department of Revenue has incredibly sensitive data about every taxpayer and business in the Commonwealth. Taxpayers have no choice but to provide this information to DOR, so it has a responsibility to do everything it can to keep it safe,” Bump, a Democrat, said in a statement accompanying the audit report.
“If this information was improperly disclosed by the agency or one of its vendors, it could wreak havoc on the lives of millions of Bay State residents,” Bump said. “In recent years, we’ve seen what can happen when DOR does not properly protect this information. It is my hope this audit will lead to action at the agency.”
The report follows a series of incidents in which private data held by the DOR was exposed. In early 2018, a data breach made private information from about 39,000 business taxpayers visible to other companies, potentially including competitors. That was followed by computer problems that delayed child-support payments to approximately 1,500 parents. Then the Department of Revenue wrongly released tax information on roughly 6,100 people — and sent that private data, which included Social Security numbers of people who owed child support, to the wrong addresses.
A spokesman for the Executive Office for Administration and Finance said in a statement Sunday that the DOR is committed to ensuring information security and has taken steps to address findings in the audit. That includes developing new policies and procedures and forming work groups to evaluate risks and compliance, the statement said.
“The audit found procedural and documentation shortcomings only and did not find any instances of personal data being exposed or used inappropriately,” the statement said.
In an interview with WCVB-TV that aired Sunday, Bump indicated the blame for lax data security lies with Governor Charlie Baker, a Republican.
“The first act of his acts as governor, if you recall, was to offer an early retirement incentive plan to reduce the number of employees in state government,” Bump said. “That had a significant impact on all of the agencies. They were terribly eroded, and they haven’t been built back up.”
“It was easy to predict that when you cut out so many people, and so many basic functions were being under-funded, under-populated with professionals,” Bump continued, “that you would end up with results like this.”
Sarah Finlaw, a spokeswoman for the governor, responded:
“The Baker-Polito Administration has prioritized strengthening the Commonwealth’s cybersecurity defenses to protect sensitive data, has filed legislation which would invest $600 million in IT infrastructure, and the administration supports the Department of Revenue’s ongoing and next steps to address this audit’s findings.”
Finlaw added that the early retirement program saved the state more than $189 million the fiscal year it went into effect.
Among its findings, the audit report said the DOR had failed to assemble a so-called “information technology strategy committee,” leaving it unclear who’s responsible for IT governance and reducing risks.
“This can result in information security risks and investments not being aligned with business needs,” the report said.
The panel should include the department’s IT and business units to determine what planning and investment are needed to secure the data, Bump said on WCVB.
The agency also lacked did not have a written plan for how to detect, respond to, and resolve data-security incidents.
“Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion,” the audit report states.
Victoria McGrane can be reached at email@example.com.