Computer-security flaws at the U.S. tax-collection agency expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released Monday.
The Internal Revenue Service also is unlikely to know if outsiders are browsing through citizens' tax returns, because it doesn't effectively police its computer systems for unauthorized use, the Government Accountability Office found.
The report was released three days after the deadline for filing personal income-tax returns, and at a time when concerns about identity theft and computer security are running high.
"This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," said House Judiciary Chairman James Sensenbrenner, a Wisconsin Republican.
The IRS promised to fix any problems and find out if tax returns had been exposed to outsiders.
The IRS over the past several years has taken steps to protect the information it collects, the report found. The agency has fixed 32 of the 53 problems that turned up in a 2002 review, the GAO said.
But the GAO found 39 new security problems on top of the 21 that remain unfixed.
Along with $2 trillion in tax receipts, the IRS also collects information on money laundering and other possible financial crimes for the government's financial-intelligence office.
But barriers between tax returns and money-laundering reports don't exist, the GAO found. Thus a police officer checking up on money-laundering reports can also read personal tax returns, in violation of federal law.
In all, 7,500 IRS employees, law enforcers and outside contractors can access and modify tax returns and financial-crime reports, the GAO found.
A master list of passwords and user names is also widely available, the report said.
"Increased risk exists that unauthorized users could ... claim a user identity and then use that identity to gain access to sensitive taxpayer or Bank Secrecy Act data," the report said.
Identity thieves have used stolen passwords to gain access to nearly half a million profiles of U.S. citizens maintained by data brokers ChoicePoint Inc and LexisNexis, a division of Reed Elsevier .
In a letter dated April 14, a Treasury Department official said many of the security holes portrayed in the report have been fixed and others should be completed by October.
The agency will figure out whether tax returns and financial-crime information have been inappropriately disclosed, Acting Deputy Treasury Secretary Arnold Havens said.
An IRS spokesman declined to comment further.
Michigan Rep. John Conyers, a Democrat, said the Judiciary Committee will consider whether additional measures are needed to strengthen computer security.
