GAO: IRS May Be Putting Taxpayer Info At Risk

Gil C/

The annual report, issued each year during tax season, has uncovered security flaws for the past several years.

The Internal Revenue Service could still be placing confidential taxpayer information at risk, despite censure from the Government Accountability Office over the past several years, a new report says.

GAO’s annual audit of IRS’s information security protocol -- released each year during tax season --  has found persistent problems that could give employees and contractors access to sensitive information about the public.

For instance, password length for some employee accounts was set to less than eight characters, and IRS did not ensure that all user account passwords were set to expire every 90 days, the report found. Some contractors did not immediately receive security training, among other findings.

Until IRS updates its security policies, tests, evaluations and problem-solving procedures, “its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure,” the report said.

For instance, out of 112 mainframe service accounts, none were configured to need a password change, and IRS employees were using a generic account for one particular application, the report said. Some user accounts were capable of accessing or changing tax-payment related data. Some Oracle databases were also operating on a server to run on one account, meaning any administrator with access to one could access all databases.

The agency also wasn’t effectively tracking employee access to agency data. IRS’ monthly review hadn’t flagged a former employee or contractor who still had access privileges, the report said.

“It’s a management problem,” Gregory Wilshusen, director of information security issues at GAO, told Nextgov. “There are technological issues associated with some of the mainframes, and establishing policies in securing a couple of the mainframes we looked at, [but] in large part it is a management problem -- making sure that actions are being taken to secure the systems.”

These flaws persist despite IRS’ progress, the report said. In the past year, IRS has improved the software that manages changes to the mainframe environment and updated secure communications enterprisewide for sensitive data.

But even once IRS management identified weaknesses, they often remained unresolved.

GAO’s last audit identified 69 weaknesses, and though IRS said it had implemented corrective actions for 24 of them, only 14 had actually been resolved, the report said.

Among GAO's recommendations were that IRS update its policy on mainframe security and make sure contractors received security awareness training. In comments submitted to GAO, IRS said it was reviewing the recommendations; a spokesperson declined to provide additional comment.

(Image via Gil C/