IRS Reveals Your Tax Data to Visitors, Unauthorized Workers, and Former Employees

Former Internal Revenue Service employees have access to your sensitive financial information. So do current employees who aren't authorized to see such data. Even some visitors to IRS facilities may have access to sensitive material. Unless the IRS patches up its information security, warns a Government Accountability Office report, "taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes."

For a tax collection agency with a history of putting taxpayers at risk, the GAO report is, unfortunately, just more of the same.

It's not as if IRS officials don't know they have a problem. They do. And they went through the difficulty of purchasing more secure systems and creating new rules. But purchase orders and bureaucratic handbooks are one thing; follow-through is entirely another. Notes IRS Needs to Continue Improving Controls over Financial and Taxpayer Data, released March 19:

A key reason for the information security weaknesses in IRS's financial and tax processing systems was that, although the agency has developed and documented a comprehensive agency-wide information security program, it had not effectively implemented elements of it.

Specifically, the IRS didn't effectively control physical access to its facilities by current and former employees and even by visitors. "Because employees and visitors may be allowed inappropriate access to restricted areas, IRS has reduced assurance that its computing resources and sensitive information are being adequately protected from unauthorized access."

The tax agency also kept accounts with access to sensitive information active for years after their removal had been requested (passwords and accounts weren't set to change or expire). At least one application was managed by a "generic account." And databases weren't isolated from each other, so that employees with access to one could pull up information from another that had nothing to do with their jobs.

IRS had configured multiple Oracle databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties, and affecting IRS's ability to control the integrity of the data.

Note that the GAO report comes after revelations that the IRS has a habit of rehiring people it fired for snooping through data or otherwise misbehaving on the job. That may help to explain why its employees are regularly exposed as identity thieves and filers of fraudulent returns. The tax agency also improperly turns over sensitive data about taxpayers to law enforcement agencies.

The new report just makes it clear how consistently bad the IRS is at handling and protecting our information. Overall, it's hard to avoid the conclusion that all of the sensitive details about us, our finances, and our personal lives, carelessly stored in IRS databases and made available with little thought to (it seems) anybody with an unhealthy curiosity, is so much hacker bait.