March 20, 2012
The Internal Revenue Service is failing to safeguard taxpayer financial information and prescreen agency job applicants before they handle returns, two new government watchdog reports find.
The reports warn that the agency is seriously vulnerable to computer hacking and internal tampering, which would compromise the confidentiality of tax returns and private financial information. Moreover, the agency appears to be doing a poor job of vetting prospective employees.
The Treasury Inspector General for Tax Administration, which monitors the IRS, concluded in a report Monday that 77 percent of the agency’s new hires had no documentation confirming that they had been subjected to required background checks.
This follows a separate audit released Friday by the Government Accountability Office, which found that the IRS computer systems, which amass more than $2 trillion in tax collections and dole out nearly $400 billion in refunds, lack the adequate security controls to prevent sensitive taxpayer data from being hacked.
The report found “control weaknesses” in the agency’s computer systems, which include failures to encrypt data as it moves through three data centers in Tennessee, West Virginia, and Michigan, and faulty password infrastructure to authenticate and track users accessing it. All told, those shortcomings, along with outdated software, could “jeopardize the confidentiality, integrity and availability of the financial and sensitive taxpayer information processed by IRS’s systems,” the report found.
Sixteen IRS employees not in charge of accounting logged into the financial information database without approval, and weak password controls currently leave the systems vulnerable to hacking, the report found.
Most of these risks aren’t news to the IRS—of the 105 computer weaknesses GAO noted in the previous year’s report on the subject, only 29 have been addressed or corrected. This is now the fifth year that GAO officials have flagged the IRS for not complying with a federal cyber security law that says all agencies must enact comprehensive initiatives to audit and monitor their own technology regularly.
Since 2009, GAO has repeatedly identified security gaps in the UNIX computer operating system the IRS has used since that year, most of which the agency has not addressed. Leaving those cyber security gaps in place means the “IRS increases the risk that known vulnerabilities in its systems may be exploited,” the report said.
Part of the IRS’ more recent woes with technology could have to do with budgetary constraints said Eric Toder, co-director of the Urban Institute-Brookings Institution Tax Policy Center and a former IRS employee. The IRS budget has been cut by millions in recent years as Republicans have rallied to cut government spending. Another possibility is that the IRS is already struggling to automate their tax collection systems and installing apparatus for security is lower priority, said Mark Luscombe, a tax attorney and principle analyst at CCH, a tax publisher.
These oversight reports are somewhat commonplace, and even in good times the agency hasn’t done all it can to be as efficient as possible, Toder said. “But today, there’s a question of ‘Yeah, you could do better at this, but what resources do you have to divert to do that?” Toder said.
GAO recommended that the IRS take six specific steps to enact a computer security program and monitor sensitive data in addition to 23 other security improvements.
Earlier this month, IRS Commissioner Doug Shulman responded to a draft of the report calling “the security and financial privacy of all taxpayer and financial information of the utmost importance to us.” He added, “We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance.”