IRS Still Has Dozens of Cyber Fixes to Make From Last Year

Mark Van Scyoc/

Numerous security deficiencies in the agency’s IT ecosystem could leave data on millions of taxpayers at risk, according to the Government Accountability Office.

The IRS has yet to address dozens of security gaps within its IT infrastructure and data management processes that could leave the information of millions of taxpayers vulnerable to digital attackers, according to a congressional watchdog.

The Government Accountability Office on Thursday released a report outlining numerous deficiencies in the tax agency’s information security procedures, many of which could allow employees or other nefarious actors to illegally access taxpayer data. Though the public version of the document offered few details on specific vulnerabilities, it highlighted the sheer magnitude of the agency’s cyber woes.

As of September, the IRS has yet to fully implement 127 GAO recommendations intended to bolster the security of the agency’s IT infrastructure, according to auditors. All but 20 of those recommendations had been issued prior to the watchdog’s 2018 audit, they said.

“These new and continuing information system security control deficiencies, which collectively represent a significant deficiency, increase the risk that IRS’s financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure,” they wrote to IRS Commissioner Chuck Rettig.

According to the report, nearly three-quarters of the recommendations seek to address shortcomings in the agency’s access control procedures, which include user authentication, encryption, activity monitoring and other processes. During the audit, GAO found IRS officials failed to use multi-factor authentication for certain systems, lock users out of tax processing databases and encrypt multiple servers, among other shortcomings.

Auditors also found the agency didn’t consistently upgrade outdated software and failed to create an adequate contingency plan for its internal email service.

Despite the numerous deficiencies that remain, GAO commended IRS officials for making notable progress on their cybersecurity practices over the past year. The agency had successfully closed 47 outstanding recommendations over the course of 2018, they said.

The report came days after IRS launched the “Tax Security 2.0 checklist,” a campaign meant to push the tax industry to implement a series of basic cybersecurity procedures. The checklist included six technical solutions meant help protect taxpayer data—antivirus software, firewalls, two-factor authentication, backup software, full-disk encryption and virtual private networks—at least two of which the IRS itself is failing to use.