WASHINGTON - Some of the 2,200 databases that the Internal Revenue Service (IRS) uses to manage and process taxpayer data are not configured securely, are running out-of-date software, and no longer receive security patches, according to an audit report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).

Nor has the IRS fully implemented its plans to complete vulnerability scans of its databases, the report found. While the tax agency spent more than $1.1 million in software licenses and support costs for a database vulnerability scanning and compliance assessment tool, it did not fully implement it.

"As all Government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated," said J. Russell George, the Treasury Inspector General for Tax Administration. "Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity."

TIGTA used database vulnerability assessment software to conduct remote scans of the primary databases for 13 applications supporting critical tax administration business processes. Its review found high and medium risk vulnerabilities, as classified by the scanning tool in each of the 13 databases.

TIGTA made seven recommendations to improve database security in its report, to which the IRS agreed. The IRS disagreed with TIGTA's $1.1 million outcome measure related to the licensing of the IRS vulnerability scanning tool, but TIGTA maintains the appropriateness of the measure.