Government Payroll System Open to Hackers, Report Says

A government payroll computer center in Denver is fraught with security problems, raising the possibility of criminals stealing or altering records, congressional investigators said Tuesday.

The General Accounting Office, the investigative arm of Congress, faulted the National Business Center for not adequately securing its computer network, not investigating suspicious access patterns and having lax physical security.

"The effect of these weaknesses is to place sensitive NBC-Denver financial and personnel information at risk of unauthorized disclosure, critical financial operations at risk of disruption, and assets at risk of loss," the report said.

The center handled more than $12 billion in financial transactions last year, including payroll checks for more than 200,000 federal employees. It develops and operates financial systems for more than 30 federal organizations, as well as its parent, the Interior Department.

A deputy to Interior Secretary Gale Norton told investigators he was thankful for the audit, and promised the problems will be fixed.

Despite security reviews by Interior's own watchdog office in 1997 and 1998, many security problems still exist, congressional investigators said.

Many of them involved granting too many people access to the most sensitive programs and networks, even if their job doesn't require that access level. Investigators also easily guessed passwords and found ones that had not been changed in three years.

Security experts say computer passwords should be changed frequently to protect against earlier breaches and disgruntled ex-employees.

Physical security is also a problem, congressional investigators said. Although a special photo identification is required, many people entered the building by following a person with an authorized card. Guards were posted at the entrances, but they failed to check each person.

People who weren't cleared to enter the building could get in relatively easily, congressional investigators said, "increasing the risk that intruders with malicious intent might obtain access to sensitive computer resources or disrupt operations."

Robert Lamb, an acting assistant secretary at Interior, told investigators that about half of the recommendations have already been fulfilled, and the rest will be finished by the end of the year.

Many federal agencies have had trouble keeping computer systems secure from hackers and criminals.

Earlier this year, the GAO reported that it broke into the Internal Revenue Service's electronic tax payment system and was able to read tax returns filed online.

Computer networks at the Department of Veterans Affairs, Environmental Protection Agency, and the agency that controls Medicare have also been found to have significant vulnerabilities.