GAO takes IRS to task over security weaknesses

A recent Government Accountability Office report found that the IRS has inconsistently implemented its agencywide security controls, constituting a “significant deficiency” in financial reporting and exposing taxpayer and financial data to unnecessary risk.

Among the weakness the GAO cited were insufficient controls for identifying and authenticating users, authorizing users’ level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity and physically securing the facilities that house its IT resources.

Specifically, the agency used easily guessable passwords on servers that support key IT systems; users were granted permissions that exceeded what they needed; and some systems were not configured to encrypt sensitive user authentication data. Additionally, the IRS did not establish proper logging for audit and monitoring for two applications, and it failed to ensure the timely application of security patches.

The GAO also addressed the challenges that the IRS is facing detecting identify theft-based refund fraud. Though the IRS worked with consumers, financial institutions and states to further prevent identity fraud, the agency should implement pre-refund matching of taxpayer returns with information returns from employers and strongly assess the costs, benefits and risks of improving methods for authenticating taxpayers, GAO said.

In order to fully improve information security within its systems and prevent data breaches, the GAO made 43 technical recommendations in a separate report to address 26 new weaknesses in access controls and configuration management.

At a hearing before the Senate Finance Committee regarding the report, IRS Commissioner John Koskinen told committee members that the IRS must maintain a “delicate balance” between keeping criminals out of IRS systems while letting legitimate taxpayers in. He said his agency is working on developing a better-coordinated authentication framework to avoid some of the errors made in the past.

Congress continues to ask the IRS to do more with less by enacting deep and damaging cuts to the agency's budget," Sen. Tom Carper (D-Del.) said. "I'm concerned that these successive budget cuts may be pennywise and pound foolish when it comes to ... the agency's ability to protect American taxpayers' information online."

FCW’s Aisha Chowdhry contributed to this report.

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected