IRS still not up to speed on data security

  • 4 February 2019
  • NormanL

The IRS has long had difficulty keeping your personal information safe from hackers. Hunderds of thousands of taxpayers were victimized in an IRS data breach back in 2015. Since then, the agency has been almost continually prodded to tighten up its security. According to a recent Government Accountability Office report, the IRS still has a very long way to go:

Despite making improvements, IRS continues to face challenges in correcting previous and ongoing information security control problems in its financial systems that contain taxpayer data. IRS had the most weaknesses in preventing unauthorized access to its systems and proper configuration management (i.e., security features for information systems). For example, IRS has not

* consistently enforced password expirations or minimum password lengths,
* installed critical security patches to databases supporting 5 information systems, and
* replaced outdated software that the vendor no longer supports.

Our recommendations

By the end of fiscal year 2017, IRS had not fully implemented 117 prior GAO recommendations, and we made 37 new recommendations to address information security control problems for a total of 154 outstanding recommendations.

You can read the entire GAO report here

Among the GAO's conclusions:

Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017.

That is absolutely unacceptable.