The U.S. Internal Revenue Service (IRS) failed to implement a good deal of security controls recommended over the years. The agency still has 127 recommendations to address, most of them from past evaluations. The largest part relates to access controls while others are for configuration management, segregation of duties, and contingency planning. GAO’s audit also discovered that the IRS does not encrypt certain servers, the email service, and some database connections. The agency’s email service was in the hands of only one individual, which presents obvious risks.
Source: https://www.bleepingcomputer.com/news/security/irs-improved-security-but-taxpayer-data-is-still-at-risk/