The IRS does not have adequate safeguards in place to protect sensitive taxpayer data, according to a report by the Government Accountability Office (GAO). As a result GAO concluded the agency had a “significant deficiency” over its ability to ensure taxpayer financial discourse is not exposed.

The GAO conducted this audit to determine whether IRS IT was ensuring the “confidentiality, integrity, and availability of financial and sensitive taxpayer information.” However, the report found numerous deficiencies related to IRS security.

Physical security controls designed to protect sensitive IT housed in restricted areas have not been properly implemented.  Because the IRS has failed to fix previous weaknesses, the agency is unable to say whether restricted areas are adequately protected, or whether employees or visitors are improperly accessing unauthorized areas. As the report notes:

“Because employees and visitors may be allowed inappropriate access to restricted areas, IRS has reduced assurance that its computing resources and sensitive information are being adequately protected from unauthorized access.”

In addition, GAO found that the agency still uses unsupported software to manage taxpayer data. The use of this outdated software increases the risk that data may be exposed. As the report explains:

“Since April 2011 the agency has continued to use unsupported database software on a system used to access and manage taxpayer accounts. Running outdated and unsupported software increases security exposure, as the vendor will not be supplying any security patches to the unsupported software.”

The agency is even failing to ensure personal data is properly encrypted. While the IRS has established policies for encrypting data that meets the requirements of federal law, GAO found that agency programs were often not properly encrypting this data. As the report notes, this potentially leaves taxpayer data exposed:

“11 systems we reviewed had not been configured to encrypt sensitive user authentication data. By not encrypting sensitive user authentication data, increased risk exists that an unauthorized individual could view and then use the data to gain unwarranted access to its system or sensitive information.”

The report concluded that the IRS was failing to properly implement many GAO recommendations to increase security over taxpayer data. As the report explains:

“The agency’s process for verifying whether an action had corrected or mitigated the weakness was not working as intended. Specifically, for the 28 prior recommendations that IRS informed us that it had addressed, 9 of the associated weaknesses had not been effectively corrected.”

Failing to protect taxpayer data is nothing new when it comes to the IRS. Following a data breach that exposed the personal information of hundreds of thousands of taxpayers last year, the Treasury Inspector General for Tax Administration (TIGTA) revealed that the IRS has been warned at least seven times by watchdog groups that it needed to strengthen its protections of taxpayer information. Most recently:

  • In a 2014 report, TIGTA warned that if stronger protections are not implemented, “taxpayers could be exposed to the loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.”  
  • 2013 report found that the IRS had failed to fully implement eight recommendations that would increase security over taxpayer data despite telling TIGTA they had been implemented.
  • 2011 report found that taxpayer data was vulnerable to hackers and stronger security measures were needed
  • In 2010, TIGTA found that the agency had inadequate safeguards to protect taxpayer information from contract workers.