The US General Accounting Office (GAO) has released its report [pdf] detailing how the IRS website is still vulnerable.  Despite the fact that only three months have passed since the Treasury Inspector General for Tax Administration reached a similar conclusion, nothing has changed at the IRS.

The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues, several critical areas remain vulnerable.

A lot of the issues are the result of a continued failure by the IRS to implement any agency-wide information security program or review risk assessments annually, the GAO said. As a result, the agency remains “particularly vulnerable” to insider threats and malicious attacks that could expose financial and taxpayer data.

The GAO pointed to specific security problems, including the following: Exposed usernames and passwords on an IRS contractor-maintained Web site; authenticated users on the IRS network with access to shared drives containing taxpayer information, performance appraisal data and sensitive data such as Social Security numbers for other IRS employees; financial information and account data that was transmitted in the clear from the IRS’s financial accounting system; inadequate logging of security events for Unix and Windows servers at a data center, and a similar lack of controls for logging changes to mainframe data sets at another data center; a failure to maintain or enforce a baseline configuration for a mainframe system, which supports the revenue accounting operation of record and other critical applications.

The webmaster should have been fired for not securing the website in the first place.  Your personal information should never be part of the URL query string and secure sessions should always be monitored.  It is only asking for trouble.  As far as I’m concerned, you can’t call it hacking when you can simply change one digit in the URL string to get other people’s information.  It’s called complete idiocy by the webmaster.

In a one-page response to the report, IRS Commissioner Douglas Shulman said data security and privacy are of “utmost importance” to the IRS, and he pledged that the agency would provide a “detailed corrective action plan” that addresses the concerns raised by the GAO.

Oh, it’s of the utmost importance, eh?  And you’re going to make a detailed corrective action plan sometime soon and that will be implemented some time after that.  Oh, that makes it okay then, because you’re “really” serious about fixing the problem.

While you’re at it, how about not giving people access to people’s private data that they can change or delete at will without any consequences to the employee?

We really shouldn’t be surprised at any of this.  The contract work for securing databases, copier repair, computer maintenance, etc., is doled out to the company with the lowest bid for the job.  If they can’t fix a copier, they probably can’t secure a network.  Those that can, long ago took jobs in the private sector where they’re paid more.