An audit of the US Inland Revenue Service (IRS) has revealed that multiple security weaknesses make taxpayers' personal data vulnerable.
A report by the Government Accountability Office (GAO) says the IT at the IRS "remains unnecessarily vulnerable" and puts taxpayer information at risk, particularly to insider threats.
According to the GAO, 69% of security weaknesses identified in the 2008 fiscal audit remain unresolved.
"Information security weaknesses continue to impair the agency's ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information," the GAO said.
The report blames the poor security on the fact that the IRS has no comprehensive security management system in place or proper controls on access to sensitive information.
The report reveals that the IRS uses weak passwords, fails to remove user accounts when employees leave, allows excessive file and directory permissions, is slow to install security updates, does not encrypt data transmissions, and does not always do annual risk assessments.
The GAO has recommended that the IRS develop policies and procedures for network security, train contract workers on security awareness, and implement a disaster recovery plan.
"Until IRS takes these steps, financial and taxpayer information are at increased risk of unauthorised disclosure, modification, or destruction," the report said.