A division of the Comptroller of Maryland’s office has for years kept sensitive taxpayer information, including Social Security numbers, on a publicly accessible computer server, according to an audit made public on Thursday.
The report by the state Office of Legislative Audits said the Revenue Administration Division kept more than 75,000 records, including Social Security numbers and the first and last names of Maryland taxpayers. Lax security made those records vulnerable, auditors said — and it’s not the first time the division has been warned.
“We identified 75,219 records on this web server containing sensitive information that would be accessible to unauthorized individuals if the related server were compromised,” the report said. Auditors went on to write that the information stored is “commonly sought by criminals for use in identity theft.”
The finding was one of 10 reported by legislative auditors, who noted that four were repeat violations by the Revenue Administration Division, which is responsible for processing, evaluating, verifying and recording tax data.
In a 2010 report, auditors found that the division did not ensure taxpayers include Social Security numbers for dependents claimed on individual income tax returns, did not appropriately account for some refund checks and does not properly control cash receipts. Thursday’s report found the same deficiencies.
The report also said inadequate procedures in the division could allow mistakes to go uncaught for long periods, as was the case with at least one tax return examined by auditors.
The division lacked documents to support out-of-state tax credits claimed on paper tax returns, the audit said. One tax return reviewed by auditors that included a credit of $632,451 was improperly recorded as $733,551, causing the state to lose $101,101 that should not have been refunded, the audit said.
Periodic audits of state agencies are conducted for members of the Maryland General Assembly, who could use the information to alter state policies that the agencies must follow. Auditors wrote that the report details “significant deficiencies in the design or operation of internal control that could adversely affect RAD’s ability to maintain reliable financial records, operate effectively and efficiently and/or comply with applicable laws, rules and regulations.”
In a written response to auditors, Deputy Comptroller David F. Roose and Revenue Administration Division Director Rhea R. Reed agreed with the report’s findings and noted that most recommendations made in the report “have already been implemented.”
The response went on to say that sensitive taxpayer data had been removed from the server that auditors feared could be compromised.
“Protection of taxpayer information is a top priority for the Comptroller of Maryland. The referenced data have been permanently removed from all servers and are not subject to replication,” the response said. “We are continually enhancing our security controls in order to protect taxpayer information.”
The comptroller’s office agreed to encrypt taxpayer data and beef up security controls to limit access to the server where sensitive information is kept.
A spokesman for the comptroller’s office declined to comment beyond the agency’s written response to auditors.