Security Problems Found in IRS Collection System

The Internal Revenue Service needs to improve the security of its Automated Collection System, a telephone contact system used to collect unpaid taxes and secure tax returns from delinquent taxpayers, according to a new government report.

The report, from the Treasury Inspector General for Tax Administration, found that the IRS has configured several security features on the ACS to automatically delete inactive accounts, lock out users after three unsuccessful logon attempts, and lock employee workstations after a period of time to prevent unauthorized users from gaining access to the ACS. However, TIGTA also found that IRS managers did not ensure that employees had no more than the amount of access to taxpayer records than was necessary to perform their duties. In addition, the IRS does not track all of the activities in which employees accessing the ACS engage.

“The Automated Collection System is a critical component that grants IRS employees significant access to sensitive taxpayer information to help enhance compliance activities,” said TIGTA Inspector General J. Russell George in a statement. “The IRS must implement additional security controls to protect sensitive taxpayer information from potential harm. When users are granted excessive access privileges, the risk increases for malicious actions and the unauthorized disclosure of taxpayer data.”

TIGTA made 12 recommendations to the IRS to improve its management of employee access to the ACS and the sensitive data it contains from potential harm. The IRS agreed with 10 of the recommendations and stated that it is already taking corrective actions.