IRS Cybersecurity Flaws Put Taxpayers At Risk

An audit of the tax agency reveals that multiple security weaknesses make data vulnerable, particularly to insider threats.

As the IRS deadline for filing 2009 personal income taxes nears, the Government Accountability Office has released a report that calls into question the security of the information U.S. taxpayers are sending to the agency.

The report, released late last week, delivers a rather scathing assessment of an attempt by the IRS to improve the security of its IT system, reporting that the agency's system "remains unnecessarily vulnerable" and puts taxpayer information at risk, particularly to insider threats.

Sixty-nine percent of 89 security weaknesses and deficiencies identified by the GAO during a 2008 fiscal year audit remain unresolved, according to the report, which depicts the IRS' attitude toward security as rather blasé.

"Information security weaknesses -- both old and new -- continue to impair the agency's ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information," the GAO said.

The main reason the IRS lacks IT security is that the agency has no comprehensive security management system in place, the GAO said. Moreover, it has not implemented appropriate access controls when it comes to sensitive information.

Specifically, the IRS continues to use weak passwords, ineffectively remove accounts for employees who no longer work for the agency, and allow agency personnel excessive file and directory permissions, according to the report.

The agency also allows user and administrator login information to be transmitted without encryption, fails to install patches in a timely matter, and ineffectively verifies that even the most basic security actions are complete. Moreover, it does not always do annual reviews of risk assessments, the GAO concluded.

Despite its overall negative evaluation, there were some bright spots in the report.

The IRS has corrected 28 of the 89 IT security weaknesses identified in the 2008 audit, taking steps to change vendor-supplied user accounts and passwords, and avoid storing clear-text passwords in scripts.

The agency also has enhanced policies and procedures for configuring mainframe operations and established an alternate processing site for its procurement system, according to the report.

Still, these efforts are not enough to create a secure system, the GAO said, and it provides recommendations for improving the situation.

The IRS should develop policies and procedures for network security, including better intrusion detection, and train contract workers on security awareness within their first 10 working days, according to the report.

Additionally, the agency should more carefully document and review the results of testing and evaluating controls, and implement an effective disaster recovery plan, the report says.

Read more about:


About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights