The IRS is developing an identity protection strategy and its Online Fraud Detection and Prevention office, established in 2007, helped to shut down more than 3,000 Web sites suspected of phishing for taxpayer data in 2008. The program had shut down 949 malicious sites through April of this year. But the IRS also faces internal threats to taxpayer privacy, GAO said. The agency reported 149 incidents of data loss affecting 911 taxpayers last year.
“Perhaps more importantly, IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft,” GAO said.
The report noted that the IRS had not made changes to its security protections though GAO had pointed out weaknesses in January:
Specifically, in January 2009 we reported that IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. We noted that IRS did not always (1) enforce strong password management for properly identifying and authenticating users and (2) authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions. For example, the agency allowed authenticated users on its network access to shared drives containing taxpayer information as well as performance appraisal information for IRS employees including their SSNs.
We made recommendations to IRS regarding ways to strengthen its information security practices. IRS agreed with the recommendations and stated that the agency is working to improve its security posture, and will develop a detailed corrective action plan addressing each of our recommendations. Until IRS addresses these weaknesses, there is an increased risk that someone could use his or her access to steal personally identifiable information and commit identity theft-related crimes.