Inspector general says tax e-file system is not error-free

Security vulnerabilities in the Internal Revenue Service's electronic tax filing system persist, according to a new report from the inspector general, despite previous claims from the agency that those weaknesses had been fixed.

The IRS reported in December 2008 that it resolved 10 of 13 previously identified security vulnerabilities in its Modernized e-File system, but the agency conducted routine system tests in January 2010 that showed only two of the problems were eliminated.

The Treasury Inspector General for Tax Administration analyzed the weaknesses and found the agency's methods for resolving the issues were not always adequately assessed.

"Without proper controls to monitor and resolve the [Modernized e-File] system security vulnerabilities and findings, unauthorized access to taxpayer information would continue to be available and possibly go undetected," reported the IG in an audit released on Monday. "Consequently, the confidentiality, integrity and availability of the taxpayer records maintained by [the system] could be impacted."

The IG also noted that lax oversight and review of user activities increases the likelihood that problems could go undetected by organization officials.

For example, according to the internal security tests conducted in January 2010, the processes for establishing and confirming user identification on the system did not meet federal government standards; database users had more access privileges than they needed to carry out their responsibilities; and after the maximum number of consecutive unsuccessful login attempts, the system did not enforce automatic account lockout for a minimum of 24 hours, in accordance with IRS policies. Status updates the IRS provided to the inspector general in December 2009, however, stated all these issues had been resolved.

Other security weaknesses identified continue to affect the agency's ability to log and audit system activities, despite previous claims by the agency that they had been resolved. The vulnerabilities won't be addressed until between June 2010 and April 2011, the IG reported.

"Therefore, the security vulnerabilities may still exist for [release 6.1 of the Modernized E-File system]," which began operating in February 2010. The latest version of this software began processing for the first time the U.S. Individual Income Tax Return (Form 1040).

The IRS agreed to an IG recommendation to ensure that system owners enter and track all system security weaknesses in its control systems, including those in the Modernized E-File system, noting that the agency's cybersecurity office has made continuous improvements in recent years to its process for reporting plans and milestones.