There are few documents that are more confidential than one’s income tax return. Consequently, one should reasonably expect that the IRS’s computer record containing details of each individual’s tax return would be secure.
In a 36-page March 16, report, the Government Accountability Office (GOA) found that the IRS’s computer systems and the data on them are not safe. Here is a summary of part of the GAO report:
Control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS’s systems. Specifically, the agency continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.”
The above list is pretty much a laundry list of what can go wrong. These vulnerabilities when combined make the problem worse. The GAO says as much in the following conclusion:
Considered collectively, these deficiencies, both new and unresolved from previous GAO audits, along with a lack of fully effective compensating and mitigating controls, impair IRS’s ability to ensure that its financial and taxpayer information is secure from internal threats. This reduces IRS’s assurance that its financial statements and other financial information are fairly presented or reliable and that sensitive IRS and taxpayer information is being sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies are the basis of GAO’s determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2011.”
Unfortunately, these criticisms are not new. The GAO noted that 76 of its previous 105 previously-reported weaknesses from last year’s audit had not been corrected. Of the 29 weaknesses that the IRS claimed had been corrected, the GAO determined that 13 of these 29 had actually not been addressed.