The Internal Revenue Service implemented a new electronic filing system knowing it contained security vulnerabilities that could put taxpayer information at risk.
A new
TIGTA had previously identified some of these vulnerabilities, including in a report released last September (see
"We believe that the lack of attention to security controls during developmental phases can be traced to other business requirements, filing season pressures and deployment demands," said TIGTA Inspector General J. Russell George in a statement. "These concerns have taken precedence over security concerns, and executive-level management was not adequately engaged to ensure that security needs and requirements were being implemented."
He noted that the IRS has established policies and procedures for security and privacy requirements, but did not follow those guidelines during the planning and design phases for the system. The report also found that IRS officials did not carry out their responsibilities for ensuring the identified weaknesses had been fully addressed prior to deployment.
The IRS agreed with TIGTA's recommendations and said it would strengthen its existing processes. However, TIGTA criticized the IRS, saying it believes the existing security vulnerabilities were not caused by process deficiencies. "Instead, IRS offices did not carry out their responsibilities for ensuring that security weaknesses were corrected before deployment," said TIGTA.
Separately, the Government Accountability Office also released a