By Toby Eckert
An IRS cybersecurity system that houses taxpayer information, including data transferred from an online tool that was breached in 2015, had several security weaknesses, according to the report released today by an agency watchdog.
Taxpayer data from the Get Transcript tool was transferred to the Cybersecurity Data Warehouse before the agency performed required tasks like updating its system security plan, the Treasury Inspector General for Tax Administration said.
The IRS also failed to implement audit controls to monitor the work of fraud analysts and system administrators, creating a risk that the agency would be unable to spot employees who violate taxpayer privacy laws and unauthorized access policies.
In addition, the IRS couldn’t provide an inventory of systems and applications used to transfer taxpayer information to the CSDW until TIGTA’s audit was completed last February.
TIGTA recommended several changes to IRS security practices, including holding employees responsible for not following established policies for making changes in the CSDW, making sure that system security plans are updated as required, implementing automated controls to monitor all IRS personnel with access to taxpayer data in the system, and maintaining a complete and accurate inventory of systems that transfer taxpayer information to the CSDW.
The IRS agreed with the personnel monitoring and inventory recommendations, the report said. But the agency said the CSDW was already secure enough to protect sensitive data and denied that employee accountability was an issue in the CSDW change policies, according to TIGTA.