Despite public outcry about a series of incidents in which private taxpayer information was exposed – prompting questions that it was done for malicious political reasons – the IRS is still not protecting the data, a new Government Accountability Office investigation found.
According to a GAO audit of the IRS, during fiscal year 2013, the IRS did not implement a security information framework that would protect taxpayer information from unauthorized individuals like infiltrators and former employees.
Additionally, the GAO says that even “authorized users could intentionally or unintentionally read, add, delete, or modify data or execute changes that are outside their span of authority.”
One particular issue the GAO points out is the length of time hired contractors have access to the IRS databases as well as the amount of access administrators have. According to the report, “Nine contractors were collectively assigned 14 mainframe security software user profiles that had password expiration dates set beyond the end of the contract period.” In fact, six contractors, the GAO report points out, “were collectively assigned nine security software profiles that had no expiration dates set.”
Alarmingly, according to the audit, the IRS’s servers were configured “to use weak encryption for authentication.” Additionally, the agency did not configure servers that provided the administration of automated file transfers of financial data to use encryption for authentication. “Until these weaknesses are corrected, IRS’s ability to reliably control access to some systems and data is undermined,” the GAO report said.
Another issue the GAO takes the IRS to task on is the physical security controls around two of the three computing centers. The IRS employs 98,000 individuals, both temporary and seasonal, and depends upon its vast computer system to accomplish the agency’s operations. Detroit, Michigan; Martinsburg, West Virginia; and Memphis, Tennessee are the three data and information centers the IRS uses to manage and maintain financial and personal information for each U.S. taxpayer.
“However, physical security controls were not always effectively implemented. For example, during monthly reviews of individuals with an ongoing need to access restricted areas at two of the three computing centers, officials did not consistently indicate the need to remove individuals who no longer needed access. We previously made a recommendation in fiscal year 2011 to address this issue at one of the two computing centers.”