A new Government Accountability Office report reveals that security vulnerabilities at the Internal Revenue Service allow former employees to continue to access Americans' sensitive financial information long after leaving the agency. Visitors and unauthorized employees are also able to gain access to restricted areas.
Citing deficiencies in the security of IRS computer systems, the GAO said that IRS information systems are still vulnerable to a number of security breaches.
"Taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes," GAO said, reported Reason.
IRS officials knew their financial and tax processing systems were vulnerable. To fix the issue, the agency purchased new, more secure systems and created new rules. But according to the GAO, "although the agency has developed and documented a comprehensive agency-wide information security program, it had not effectively implemented elements of it."
The GAO noted that the IRS still used outdated software with security holes, leaving private taxpayer information vulnerable to hackers.
"IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting," the GAO said.
Agency passwords can be easily bypassed, and the IRS doesn't always remove employee access to systems when workers quit or are fired.
"Because employees and visitors may be allowed inappropriate access to restricted areas, IRS has reduced assurance that its computing resources and sensitive information are being adequately protected from unauthorized access," the report said.
Some accounts with access to sensitive information remained active for years after their removal had been requested, and passwords never expired. Because databases weren't kept separate, an employee with access to one could also access others.
"IRS did not effectively maintain the secure configuration of a key application, or appropriately segregate duties by allowing a developer unnecessary access to the application," the report said.
"IRS had configured multiple Oracle databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties, and affecting IRS's ability to control the integrity of the data," the report said.
The GAO said in a previous report that there were 69 security vulnerabilities at the tax agency, but about 20 of those still remain.
The watchdog recommended that the IRS "take 5 additional actions to more effectively implement elements of its information security program. In a separate report with limited distribution, GAO is recommending 14 actions that IRS can take to address newly identified control weaknesses."
The report concluded: "Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure."
According to the Treasury Inspector General for Tax Administration, 1.6 million taxpayers were affected by identity theft in the first part of 2013. The large spike in fraud is suspected to be due to an increase in electronic filings.
