The Internal Revenue Service (IRS) reported the loss or theft of nearly 500 computers over a period of more than three years ending in 2006, according to an audit released this week.
Employees reported the disappearance of 490 laptops in 387 separate incidents from January 2003 to June 2006, the treasury inspector general for tax administration said in a memo to the IRS.
The audit was unable to determine exactly how many taxpayers may have been affected, although officials believe the personal information of at least 2,359 individuals was could have been compromised.
In a separate investigation, the inspector found that of 100 laptops currently in use by the IRS, 44 contain unencrypted confidential information.
"As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data," Michael Phillips, deputy inspector general for audit, said in the memo. "Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive."
The investigation also found that mobile devices, such as USB sticks and CDs that contained sensitive information, were not always encrypted.
In a March 1 response letter, Richard Spires, IRS CIO, said the agency was "taking aggressive steps to further secure government equipment and protect sensitive data to mitigate the risk of potential identity theft or other fraudulent activity."
These include providing employees with encryption capabilities, implementing full disk encryption and other physical security controls on laptops, starting a comprehensive employee awareness program and establishing a management and victim notification program.
Click here to email reporter Dan Kaplan.