IRS Still Lacks Protections for Sensitive Taxpayer Information

Report: Data still vulnerable to attacks, unauthorized collection

The IRS Building in Washington, DC / Getty Images
August 20, 2018

The Internal Revenue Service has failed to implement a series of reforms aimed at bolstering its protection of sensitive taxpayer information, leaving the agency's computer systems vulnerable to unauthorized access that could compromise Americans' financial information, according to a new government oversight report.

While the IRS has taken steps to improve its protection of taxpayer information, it has yet to implement more than 100 security procedures meant to help the agency protect sensitive taxpayer information, the Government Accountability Office (GAO) found in its latest audit.

"Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure," according to the report. "These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017."

The IRS is just one of numerous government agencies struggling to prevent the disclosure of sensitive information, including that of American citizens and sensitive government information stored on government networks.

The GAO found in its latest IRS audit "continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS’s financial and tax processing systems."

Government auditors are pressing the IRS to implement more than 30 new procedures to protect sensitive financial data. This includes limiting unauthorized access to certain networks and increasing documentation among those with access to these networks. Auditors identified at least 154 recommendations to improve security that have yet to be implemented by the IRS, which collected $3.4 trillion in federal taxes in 2017.

In its latest audit, investigators "identified continuing and new internal control deficiencies concerning IRS's financial reporting systems that are important enough to merit the attention of those charged with governance of IRS," according to the report.

More rigorous standards should be implemented to keep track of those with access to sensitive information, according to the report.

"People acting with malicious intent can use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks," the report notes. "These threats to computer systems and related critical infrastructure can come from sources that are internal and external to an organization."

This includes internal threats, such as those posed by employees and contractors, as well as external threats, such as rogue hackers and nations.

Internal threats include equipment failure, human errors, and fraudulent or malevolent acts by employees or contractors. External threats include the ever-growing number of cyber-based attacks that can come from a variety of sources such as individuals, groups, and countries who wish to do harm to an organization's systems.

"Our previous reports, and those by federal inspectors general, describe persistent information security weaknesses that place federal agencies, including IRS, at risk of disruption, fraud, or inappropriate disclosure of sensitive information," the report states.

Despite pressure from internal watchdogs and those in Congress, the IRS continues to face "deficiencies in authentication," which limits oversight on individuals with access to sensitive information.

The IRS, for instance, "did not enforce password expiration limits" in some instances, did not enforce "minimum password lengths" for some accounts, and failed to authenticate certain users.

"Until IRS fully remediates authentication control deficiencies, it is at increased risk that controls could be compromised, permitting unauthorized access to its systems and data," the report notes.

The agency additionally documented multiple cases of contractors having access to sensitive systems pass the authorized length of time.

"These weaknesses place the agency at increased risk that users with excessive privileges, users who should no longer have access to a system, and unauthorized users could inadvertently or deliberately access and modify systems," according to the report. "These risks jeopardize the confidentiality and integrity of the data they contain."

Published under: IRS