A new report from the Treasury Inspector General for Tax Administration (TIGTA) reveals that the IRS’s Fiscal Year 2025 Cybersecurity Program was not effective. TIGTA determined that three of the six core cybersecurity functions—identify, protect, and detect—were below acceptable maturity levels, and 68 percent of the metrics assessed failed to meet federal standards. Because these key foundational controls are weak, there is a serious risk of unauthorized access, modification, and/or disclosure of taxpayer data. 

The Alliance for IRS Accountability (AIA) is appalled by this revelation. These critical day-to-day controls around identifying systems and assets, protecting them, and detecting threats are fundamental to taxpayer security. Weaknesses not only pose technical risks but also direct danger to taxpayers—leaving private data highly vulnerable to leaks, identity theft, and fraudulent refunds.  

This is yet another example of the IRS's systemic flaws. Unreliable technology further erodes taxpayer trust in an agency that has repeatedly failed to protect the interests of hardworking Americans. AIA commends TIGTA for bringing this serious cybersecurity threat to light and immediately calls on the IRS to reform these ineffective controls to ensure taxpayer data is adequately protected.  

Read the full report here. 

If you, or someone you know, has experienced a specific IRS abuse and wish to flag the instance for potential inclusion in future Abuses of the Week, contact us with the details at: info@irsaccountability.org.