More Bad News from IRS About Taxpayer Info Security


A restricted GAO report hints at severe vulnerabilities of taxpayer data.

The IRS is still failing to adequately protect U.S. taxpayers’ personal information and sensitive financial data, according to an audit report announced Monday.

The Government Accountability Office is not releasing the text of the report because it contains either classified or sensitive but unclassified information, the auditor said. The title of the report cited “control deficiencies” that “limit IRS's effectiveness in protecting sensitive financial and taxpayer data.”

While details of this report aren’t public, GAO published an unclassified report with the same title in July, which likely covered similar ground. The reports are part of a long history of information security shortfalls GAO has documented at IRS stretching back years.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The July report tallies 166 outstanding recommendations related to information security best practices and ensuring that taxpayer and financial information can’t be accessed by people who don’t need to access it.

GAO faulted the tax agency for not monitoring its systems to ensure employees are complying with security policies, not ensuring software is updated to protect against digital vulnerabilities or is even still serviced by the vendor, and not updating security plans as the agency’s operating environment changes.

That report closed 26 out of 120 pre-standing information security recommendations from the beginning of the 2016 fiscal year but opened another 98 recommendations.

The auditor determined GAO had a “significant deficiency in internal control over financial reporting systems” that left taxpayer data “unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.”

IRS improvements during 2016 included limiting the access of some system administrators to only the systems they need to access and improving some software patching, according to the report.