It's the worst-case privacy nightmare. Hackers get into the Internal Revenue Service's computer system, which has incomes, Social Security numbers and other detailed financial information on practically every American. It hasn't happened yet, but the Government Accountability Office is saying today that the IRS still has "pervasive weaknesses" in security.

IRS made limited progress toward correcting previously reported information security weaknesses... About 70 percent of the previously identified information security weaknesses remain unresolved. For example, IRS continues to, among other things, use passwords that are not complex, grant excessive access to individuals who do not need it, and install patches in an untimely manner.

... Other significant weaknesses in various controls continue to threaten the confidentiality and availability of IRS's financial processing systems and information, and limited assurances of the integrity and reliability of its financial and taxpayer information. IRS has not consistently implemented effective controls to prevent, limit or detect unauthorized access to computing systems from within its internal network. For example, IRS did not always (1) enforce strong password management for properly identifying and authenticating users (2) authorize user access to only permit access needed to perform job functions (3) encrypt sensitive data (4) effectively monitor changes on its mainframe, and (5) physically protect its computer resources...

Accordingly, GAO has reported a material weakness in IRS's internal controls over its financial and tax processing systems.