The IRS apparently did not apply a number of security controls in the past leaving taxpayer data vulnerable to “inappropriate and undetected use, modification, or disclosure”. Taken from a Bleeping Computer wews article,
Following an audit on IRS systems during the fiscal year 2018, the U.S. Government Accountability Office (GAO) concludes that the agency still has 127 recommendations to address, most of them from past evaluations. 107 of them result from previous audits while the latest assessment added 20 new ones. The largest part relates to access controls while others are for configuration management, segregation of duties, and contingency planning. The new recommendations in GAO’s report refer to 14 new information system security control faults in the areas mentioned above.
GAO found that the IRS still has issues with identification and authentication of users, authorization of access permissions, and encryption of sensitive information. A total of eight deficiencies were uncovered in these processes. Specifically for identification and authentication, the IRS did not enforce using certificates for digitally signing PDF files some tax documents included. The agency also failed to apply its policy for password expiration dates and to use multi-factor authentication to access certain applications. On the authorization side, GAO found that an application still had a function enabled that was not needed for business purposes but permitted some user accounts to download the app’s full database or parts of it. Another problem is that individual user accounts can access certain databases supporting tax processing systems, although it is not necessary for all of them. GAO’s audit also discovered that the IRS does not encrypt certain servers, the email service, and some database connections.”