The Internal Revenue Service's failure to use strong passwords, install patches quickly, and adequately control access to computer systems and information makes the system vulnerable to insider threats and attacks from outside, a new government report concludes.
The IRS has failed to fix almost 70 percent of control weaknesses and program deficiencies identified a year ago, the Government Accountability Office said in a report released last week.
Specifically, the IRS has corrected or mitigated 28 of 89 weaknesses and deficiencies found, but left 61 of them unresolved, according to the report.
For example, the agency continues to install patches in an untimely manner, use passwords that are not complex, and allows unencrypted transmission of user and administrator log-in information. All the while, it fails to adequately control user access, log and monitor security events, and physically protect its computer resources, the report said.
"Newly identified and the unresolved information security control weaknesses in key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information," the report warns.
"Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services," the report concludes.
One security expert said consumers need not worry because the report's conclusions were sensationalized.
"The report looked at unimportant risks and failed to address major risks," said Alan Paller, research director for the SANS Institute. "There's nothing (risky) there you wouldn't find at the GAO. The problems aren't high risk at all."