Dive Brief:

• The Internal Revenue Service is behind on implementing numerous security controls, according to a recent report from the Government Accountability Office.
• GAO auditors found the agency has so far failed to properly secure its systems in six areas, including adding controls to identify  and authenticate users, restricting server access and making sure any authentication data is encrypted. 
• GAO also found that it was easy to guess the passwords used to access key IRS systems. 

Dive Insight:

The IRS has been plagued with cybersecurity issues and has faced a lot of scrutiny for not improving its approach to securing its systems. 

GAO also added two recommendations to a long list of unresolved IRS data security issues, bringing the total number to 45. The details of those recommendations are not publicly available.

"Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure," according to the report.

In May 2015, hackers infiltrated an IRS application called “Get Transcript,” which allowed taxpayers to check their tax history online. Hackers quickly figured out how to circumvent security by assuming the identities of others, however, and were able to download the tax histories of numerous individuals. The hackers then filed about $50 million in fraudulent tax returns, according to the IRS. 

The IRS originally said the breach affected about 114,000 U.S. taxpayers. In February the agency revised that number and said hackers stole the personal information of about 724,000 individuals – a number that is six times larger than its original estimate.