Despite warnings, the IRS is continuing to put taxpayer information at risk, according to a report from the Government Accountability Office.
The GAO says that staff are continuing to use easy-to-guess passwords, and that accounts for staff that have left aren't being deactivated quickly enough.
Staff are also being given far more access to information than is actually necessary.
"For example, about 120 IRS employees had access to key documents, including cost data for input to its administrative accounting system and a critical process-control spreadsheet used in IRS’s cost allocation process," says the report. "However, fewer than 10 employees needed this access to perform their jobs."
Log-in information is being transmitted without encryption, says the GAO, with 18 routers using a protocol that was configured to authenticate information using plain text.
Security patches are being installed in a haphazard and tardy way.
Of the 89 security weaknesses identified a year ago, says the GAO, the IRS has fixed just 28.
"Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services," says the report.