Instead of getting better at protecting taxpayers’ personal financial information, the Internal Revenue Service is actually getting worse, according to a new report by the Government Accountability Office. The IRS has failed to fix most of its existing data security vulnerabilities, even as new ones continue to crop up.
“(C)ontrol weaknesses over key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information,” the report found.
That’s a serious problem for taxpayers and consumers who rely on the IRS to keep information secure, says Ondrej Krehel, information security officer at Credit.com’s sister company, Identity Theft 911. The IRS gathers all types of information, including e-mail addresses, physical addresses and Social Security numbers—everything a thief might need to steal identities for profit.
“As I was reading it I was thinking, ‘is this a bad joke?'” Krehel says. “This is pretty bad.”
[Fraud Resource: Free Identity Risk Score and personal risk profile]
The troubles are both internal and external, Krehel says. Inside the IRS, some of the agency’s most important databases are controlled by computers that can be accessed without passwords. An insider with access to those computers could easily steal entire databases.
“You probably can’t access it from outside” the agency, says Krehel. “But if you’re on the inside, it seems there’s nothing to prevent you from accessing and copying these databases.”
Externally, the IRS receives taxpayer data from various private companies. For example, many companies offer software that helps taxpayers prepare and submit their own taxes directly to the IRS.
“If they don’t safeguard their own data properly, how do they properly vet all the middlemen who handle their data? What are their standards?” Krehel says.
The GAO has been on the IRS’s case about data security since 2008. Since then it has found serious problems with the agency’s efforts to limit identity theft by its own employees. Three-quarters of the weaknesses found previously by the GAO still plague the agency, despite years of efforts by the IRS to fix its security weaknesses.
“(U)ntil the agency corrects the identified weaknesses, its financial systems and information remain unnecessarily vulnerable to insider threats, including errors or mistakes and fraudulent or malevolent acts by insiders,” according to the report.