Yikes! Not exactly what you want to hear at the beginning of tax filing season.
But that's the word from the Government Accountability Office (GAO).
In a report released yesterday, GAO investigators found that IRS records, including taxpayer data, are vulnerable to tampering or disclosure because the agency has not yet corrected dozens of information security weaknesses.
We're a computerized world, and the GAO notes that the IRS takes advantage of such technology to collect taxes (about
That, says the GAO, is not happening. In fact, says the government watchdog agency, the IRS has made "limited progress toward correcting previously reported information security weaknesses. It has corrected or mitigated 29 of the 98 information security weaknesses that GAO reported as unresolved at the time of its last review."
That leaves around 70 percent of the information security weaknesses the GAO found previously still unresolved. For example, the IRS continues to use passwords that are not complex, grant excessive access to individuals who do not need it, and be lax in installing patches.
"In addition to this limited progress," says the GAO, "other significant weaknesses in various controls continue to threaten the confidentiality and availability of IRS's financial processing systems and information, and limit assurance of the integrity and reliability of its financial and taxpayer information."
Serious security faux pas: Specifically, the GAO says the IRS does not always:
- Properly identify and authenticate computer users,
- Limit user access to only those areas users need to perform their job functions,
- Encrypt sensitive data,
- Effectively monitor changes on its mainframe, and
- Physically protect its computer resources.
As a taxpayer, I repeat, Yikes!
A key reason for the weaknesses, says the GAO, is that the agency has not yet fully implemented its agencywide information security program. "As a result, IRS is at increased risk of unauthorized disclosure, modification, or destruction of financial and taxpayer information."
Acting IRS Commissioner Linda Stiff, in response to the report, wrote that the agency recognizes "there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses."
I certainly hope so.
Same song, second verse: Sadly, the GAO findings are not a big surprise. Less than a month ago, the Treasury Inspector General for Tax Administration (TIGTA) issued similar findings of weaknesses in IRS database security controls.
"Previous reviews have demonstrated that control weaknesses could be exploited to gain access to sensitive taxpayer information and disrupt IRS computer operations," said TIGTA in its Dec. 14, 2007, audit.
The IRS, noted the report, "continues to have recurring information security weaknesses that make its databases susceptible to penetration attacks," making the data a potential "target for malicious users intent on committing identity theft and fraud."
To illustrate the vulnerability, TIGTA scanned 1,900 IRS databases (the agency has a total of 2,100) and determined that 11 percent of them had at least one account that used the system default password or worse, a blank password.
In those databases with weak or no passwords was personally identifiable tax information, making the data potentially easy marks for identity thieves and other criminals.
In addition, TIGTA said that 65 percent of the databases it checked needed to be updated, with more than 300 databases being outdated from 11 months to 20 months.
"As a result, outdated IRS databases were collectively susceptible to nearly 40,000 database vulnerabilities, one-half of which are considered high risk," according to TIGTA.
In response to the TIGTA findings, IRS officials said they plan to "take appropriate corrective actions," i.e., update systems, processes, and training so employees are aware of the steps they must take to secure sensitive taxpayer data from unauthorized individuals.
We shall see.