The IRS has not effectively implemented controls over key financial and tax processing systems located at a critical data processing facility, according to the GAO. For example, access controls over the mainframe computing environment did not separate IRS taxpayer data from FinCEN's Bank Secrecy Act data, two types of data with different security requirements.
Also, the IRS has not installed controls for physical security, segregation of duties, and service continuity at the facility, the GAO reported.
"Collectively, these weaknesses increase the risk that sensitive taxpayer and Bank Secrecy Act data will not be adequately protected from unauthorized disclosure, modification, use or loss," the agency said.
The GAO said the security weaknesses are due to lack of an agencywide infosec program, including policies and procedures, training and testing.
"Until IRS fully implements a comprehensive agencywide information security program, its facilities, computing resources, and the information that is processed, stored, and transmitted on its systems will remain vulnerable," the agency said.
Treasury officials generally agreed with the GAO's recommendations to fully implement an agencywide infosec program and to assess whether taxpayer data may have been exposed. They also said the IRS has taken steps to improve security, including developing security plans and testing.
The GAO's report comes a month after the IRS inspector general reported that IRS employees are susceptible to social engineering.
Another report by GAO found weak infosec controls at the Securities and Exchange Commission (SEC) which put sensitive data such as payroll and financial transactions at risk.