Despite some improvements, the Internal Revenue Service’s oversight and protection of sensitive tax collection documents and data continues to pose a threat to the government and U.S. taxpayers, according to a new report by the Government Accountability Office.
The GAO has long raised concerns about the IRS’s vulnerability to computer hacking by outsiders and agency employees without proper security clearance. The GAO’s latest report highlights the vulnerability of massive amounts of tax data and government-wide personal information.
The report commended the IRS for a number of corrective actions, including a toughening of access controls over certain system administration accounts and an updating of computer software to prevent exposure to known vulnerabilities.
Nevertheless, the agency’s financial and tax processing systems continue to be plagued by security deficiencies, the report said, “exposing financial and sensitive taxpayer information to unnecessary risk of unauthorized access, use, disclosure and modification.”
The GAO has made scores of recommendations for improvements over the years, although 120 specific proposals for preventing criminal or unauthorized access to the agency’s automated tax records system have yet to be addressed by the IRS.
GAO auditors warn that financial and taxpayer information on IRS systems “will remain vulnerable” until the IRS does a number of things, including addressing “control deficiencies” pertaining to data protection, physical security, and identification and authentication.
The report asserted that the IRS must update its overall data security plan “to reflect the current operating environment.” And it said the IRS must assure that internet software is adequately monitored and updated by vendors to protect against known or suspected vulnerabilities.
“Until IRS takes additional steps to address unresolved and newly-identified control deficiencies and effectively implements components of its information security program, its financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” the report concluded.
Concern about cyber hacking is no smaller concern. A 2014-2015 cyber hack of the IRS reportedly gained access to personal data from more than 720,000 taxpayer accounts. The stolen information included Social Security numbers, birth dates and other data that cyber criminals can easily use to steal tax payers’ identities, file false tax returns and collect refunds.
The Treasury Inspector General for Tax Administration, which oversees the IRS, documented the heightened threat to taxpayers in a subsequent nine-month review. The cyber thieves gained access to taxpayer accounts between January and May 2015, when the scam was revealed. The IRS subsequently disabled a vulnerable on-line function that enabled legitimate taxpayers to follow the progress of their returns.
In its response to the latest GAO findings, IRS officials neither agreed nor disagreed with the recommendations. However, the agency said that it would review each of the recommendations and ensure that its “corrective actions include sustainable fixes that implement appropriate security controls,” according to the GAO report.