Serious security weaknesses in the Internal Revenue Service's data system have left millions of taxpayers' sensitive financial information vulnerable to hackers.
The agency claims it has fixed the problem, but its auditors beg to differ.
A new report released by the Treasury Inspector General for Tax Administration (TIGTA) found that although the IRS claimed it had implemented 19 fixes to secure the system recommended by the auditor in previous years, at least eight (or 42 percent) of them "had not been fully implemented," and should not have been checked off as completed.
The auditors said the IRS never tracked its progress on the repairs, and in many cases, it closed cases without submitting documentation to prove the fix was complete. The auditors blamed it on "weakened management controls."
The report also found that the agency didn't properly scan servers—which contain taxpayer information—for "major vulnerabilities," or properly lock user accounts, and it did not update software on databases.
"When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders can exploit security weaknesses and may gain unauthorized access," Treasury Inspector General J. Russell George said.
George suggested that the IRS should strengthen its management controls, as well as provide additional training to employees involving uploading data to implement fixes.
The IRS responded to the auditor, saying it has already issued a new manual to staff to help improve monitoring practices.
The auditor's warning comes 4 ½ months after the IRS inadvertently posted thousands of Social Security numbers on a government website. Additionally, a security breach in November 2012 revealed that 74.7 GB of data was stolen from South Carolina's Dept. of Revenue, exposing Social Security numbers of 3.8 million taxpayers along with credit card numbers and bank account data.
The sense of urgency shared by the auditors and taxpayers alike, however, is apparently not shared by managers at the IRS.
(Read more: Cyberthreats on the rise, says McAfee Labs report)
This is just the latest in a spate of IRS audits that reveal a major lack of oversight at the agency, raising serious concerns about whether it's positioned to take on new and crucial responsibilities under the Affordable Care Act, which will require the IRS to store even more sensitive healthcare information from taxpayers.
Under the new law, the IRS will enforce 45 new tax-related provisions, including imposing new taxes on medical devices and Medicare, overseeing new itemized deductions for medical expenses, and imposing penalties on uninsured Americans who fail to purchase coverage on the new exchanges.
—By Brianna Ehley, The Fiscal Times