WASHINGTON—One of the biggest repositories of personally identifiable data in the U.S., the Internal Revenue Service, has been strongly criticized in a new report from Government Accountability Office (GAO) that found financial and taxpayer data “vulnerable” to hackers.
Moreover, said the GAO, the IRS’ controls are sufficiently weak that it could not tell if the data it holds has been breached, modified or even disclosed.
The GAO’s audit report says the IRS has made some progress in implementing certain data security controls, but that weaknesses continue to exist and that the IRS’ data remains at risk of being compromised.
The audit report found that the IRS:
- Has failed to install appropriate security updates on all of its databases and servers.
- Has failed to sufficiently monitor control activities that support its financial reporting.
- Has not effectively maintained secure configuration of a key application.
- Has not appropriately segregated duties, including allowing a developer unnecessary access to the application.
- Continues to allow usage of weak passwords.
The GAO said the IRS does have a comprehensive framework in place for its security programs, but it has not done a good job of implementing that framework.
"IRS would make an attractive target because it processes a treasure trove of personally identifiable information on American taxpayers," said the GAO, which has made 19 recommendations for actions the IRS should take to bolster IT security.