IRS Deployed E-File System with Known Security Problems

The Internal Revenue Service implemented a new electronic filing system knowing it contained security vulnerabilities that could put taxpayer information at risk.

A new report from the Treasury Inspector General for Tax Administration found that the project office for the IRS's Modernized e-File System did not prevent or resolve some known security vulnerabilities before deploying the system. Those vulnerabilities are related to system access, monitoring of system activities, disaster recovery and the protection of sensitive data.

TIGTA had previously identified some of these vulnerabilities, including in a report released last September (see IRS Computer Security Needs Improvement). But the IRS did not fix the vulnerabilities before deploying the system. The IRS opened its e-filing system on Friday, including a new component that lets taxpayers fill out on-screen forms and file their taxes for free (see IRS to Open E-filing on Friday with New Free Option). The IRS sees e-filing as a high priority to speed delivery of tax returns, but it may have sacrificed security for the sake of efficiency.

"We believe that the lack of attention to security controls during developmental phases can be traced to other business requirements, filing season pressures and deployment demands," said TIGTA Inspector General J. Russell George in a statement. "These concerns have taken precedence over security concerns, and executive-level management was not adequately engaged to ensure that security needs and requirements were being implemented."

He noted that the IRS has established policies and procedures for security and privacy requirements, but did not follow those guidelines during the planning and design phases for the system. The report also found that IRS officials did not carry out their responsibilities for ensuring the identified weaknesses had been fully addressed prior to deployment.

The IRS agreed with TIGTA's recommendations and said it would strengthen its existing processes. However, TIGTA criticized the IRS, saying it believes the existing security vulnerabilities were not caused by process deficiencies. "Instead, IRS offices did not carry out their responsibilities for ensuring that security weaknesses were corrected before deployment," said TIGTA.

Separately, the Government Accountability Office also released a report last Friday criticizing the IRS's computer security. The GAO found that the IRS continued to leave several previously unidentified security weaknesses unresolved. For example, the IRS allowed sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network, and granted "excessive access" to individuals who did not need it.