The Internal Revenue Service has made some progress in enhancing the security of its computer systems but financial and taxpayer data remain “unnecessarily vulnerable” to fraudsters and hackers, according to a new report from the Government Accountability Office.
Among the continuing information security weaknesses cited by the government watchdog are outdated software without proper security functions, internal passwords that can easily be compromised, and excessive user privileges to an application used to process electronic tax payment information.
As part of its audit of the IRS’s fiscal 2013 and 2014 financial statements, the GAO found that controls over the length of passwords for certain network infrastructure devices were set to less than eight characters, and the agency did not ensure that all user account passwords were set to expire every 90 days or sooner on two databases.
Unless the IRS takes additional steps to address security, “its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” the report warns.
A co-author of the report, Gregory Wilshusen, said taxpayer data is vulnerable to both outsider and insider attacks, and he described the IRS’s computer systems as a “treasure trove” of taxpayer data that could be used by identity thieves and other tax cheats, according to The Fiscal Times.
The GAO said the IRS had taken such positive actions as improving the security over the software that manages changes to its mainframe environment and upgrading secure communications enterprise-wide for sensitive data.
But there were “significant control deficiencies” because the IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting.
“An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program,” the report said.
Of 69 previously reported weaknesses that remained unresolved at the end of GAO’s last audit, IRS indicated it had implemented corrective actions for 24 of them. However, the GAO determined that 10 of those 24 weaknesses had not been fully resolved.