HMRC's fragmented IT structure was a contributory factor to the department's loss of personal details of 25 million Britons.
The news came as the Information Commissioner announced he would take enforcement action against HMRC for the breach.
The merger of Inland Revenue and HM Customs and Excise in 2005 to form HMRC left the organisation with fragmented IT systems, the review by Kieran Poynter, chairman and senior partner at PricewaterhouseCoopers found.
IT systems include supporting services such as PAYE, National Insurance, Child Benefit and Tax Credits. Each system has to maintain and secure different sets of customer data.
"Maintaining these separate records is both inefficient and increases information security risk because of the constant need to bring this information together."
"Putting better controls around the existing set of processes and supporting systems will improve information security, but to reduce information security risk to acceptable levels will require more fundamental change," the report said.
Although organisations can introduce strategy, people, process and technology to make sure the fundamentals of information security are right, they would do little to help the HMRC.
"The best controls in the world can never ultimately eliminate the information security risk associated with the fragmented state of HMRC's IT estate and its processes," the report said.
The review found that a lack of security education and awareness at HMRC made it difficult for employees to work securely.
It recommended that HMRC sets out a detailed road map outlining what the business and its supporting IT will look like year by year.
The report coincided with the publication of a security framework today by cabinet secretary Sir Gus O'Donnell, which recommended a widescale reform across Whitehall into the way government departments handle sensitive data.
Other key recommendations of Poynter report:
HMRC should move to a single customer record for individuals and a single customer record for all parts of the organisation
HMRC should have the powers to be able to specify secure methods of exchanging data with its customers, starting with businesses and over time including individuals
The transfer of digital data involving physical media should be phased out completely
In the short term, any removable media should be encrypted so that if they are lost or stolen any data or information on them cannot be accessed