IRS Not Adequately Guarding Taxpayer Info, GAO Says

Still Playing Too Fast and Loose With Your Personal Information

IRS Building
IRS Continues to Place Taxpayer Information at Risk, GAO Finds. Drnadig/Getty Images

Despite hounding the Internal Revenue Service about it for years, the Government Accountability Office (GAO) says your favorite tax agency continues to be totes amazeballs bad at protecting taxpayers’ information, possibly exposing it to hacking, scamming and identity stealing.

After the massive and costly data theft at the U.S. Office of Personnel Management, the Washington Post pondered whether federal employees should trust the government with their personal information.

Frankly, the bigger question is, what about the 315 million Americans who are not federal employees?

[ Massive Theft of Federal Worker Data to Cost Taxpayers $21 Million ]

In conducting its Fiscal Year 2014 tax season audit of IRS’ financial statements, the GAO reported that long-unresolved security problems in the IRS’ information systems could allow unauthorized employees, outside contractors and hackers to access taxpayers’ sensitive information.

While conceding that the IRS had “made progress” in installing information security controls, the GAO found “weaknesses limit their effectiveness in protecting the confidentiality, integrity and availability of financial and sensitive taxpayer data.”

For example, GAO found that even under IRS’ latest set of security controls, some employees were still allowed to use simple passwords of fewer than eight characters. In addition, the IRS failed to ensure that all employees and contractors were required to change their passwords every 90 days.

While the security software allowed and recommended doing so, none of the IRS’ 112 database access accounts were set up to require periodic password changes, and some IRS contractors were allowed to access taxpayer databases before receiving IRS security training, the GAO found.

[ Staff Cuts Destroying IRS Taxpayer Service ]

In one case caught by the GAO, a monthly IRS security review had failed to identify a former IRS employee, whose taxpayer database access privileges and password had never been deactivated, indicating a larger failure of the agency to properly track employee access to sensitive data.

In another case, the IRS gave employees excessive privileges to an application used to process electronic tax payment information. Specifically, the GAO found the IRS did not appropriately limit the ability of unauthorized employees to enter commands using the application’s user interface. As a result, the employees could access or change tax payment-related data.

“As a result of these weaknesses, IRS had reduced its ability to control who was accessing its systems and data,” wrote the GAO.

Even after becoming aware such security weaknesses, IRS management often failed to address them, reported the GAO.

[ IRS Wrongly Paying Millions in Tax Refunds to Prisoners ]

Of the 69 security weaknesses identified by the GAO in its Fiscal Year 2013 audit, the IRS claimed to have corrected 24 of them, however, according to the 2014 audit, only 14 had actually been resolved.

Pretty well summing up the less-than-comforting situation, the GAO concluded that unless and until the IRS fixes its data security weaknesses, “its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure.”  

What the GAO Recommended… This Time

In addition to the still-unresolved recommendations from its 2013 audit, the GAO recommended 5 additional actions the IRS should take to more effectively implement elements of its information security programs. In a separate report, given only to IRS management, the GAO recommended 14 new actions the IRS should take to address “newly identified control weaknesses” in its information security programs.

In its response to both reports, the IRS agreed to develop corrective action plans in areas the agency believed it was “appropriate” to do so.