Half of America's Internal Revenue Service's (IRS) servers are running Windows Server 2003, despite extended support for it ending in July.
That's according to a report by the Treasury Inspector General that took a look at the IRS' $139m upgrade program.
The report is distinctly unimpressed and notes that the IRS "did not follow established policies over project management and provided inadequate oversight and monitoring."
As a result, the US government's tax system is potentially wide open to hackers because Microsoft has officially and publicly stopped issuing security patches for the operating system.
In an effort to avoid a massive security breach, the IRS has agreed to pay Microsoft an undisclosed "premium fee" to continue to support and patch its servers – something the report slams as indicating that the IRS "has not adequately planned for the Windows server upgrade in regard to the costs, potential security implications, and amount of time necessary to complete the upgrade."
It notes: "Upgrading to the new Microsoft workstation and server operating systems is critical, because older versions are not supported and regularly patched for security flaws, which makes them more vulnerable to hacking."
Despite having spent hundreds of millions of dollars, the program has also only managed to upgrade servers to Windows 2008. Not a single machine is running the more recent Windows 2012.
I got this ... whoops
The report lays much of the blame for the disastrous rollout on IRS CTO Terry Milholland who, according to the report, decided to take personal control of the upgrade in July 2012 when it became clear the process was already massively delayed.
The result of not having an executive steering committee – the usual process – was that "basic planning documents such as budget estimates and deployment schedules are still unsigned and incomplete." It also notes that "no official meeting minutes with the CTO or decision documents were created or signed."
In addition, the IRS reported in December 2014 that it has managed to upgrade all its workstations from Windows XP to Windows 7. But it later turned out that there were 1,300 computers still running XP. Where they were, though, nobody knew because of "inaccuracies in the inventory records."
"For the IRS, the use of outdated operating systems may expose taxpayer information to unauthorized disclosure, which can lead to identity theft. Further, network disruptions and security breaches may prevent the IRS from performing vital taxpayer services such as processing tax returns, issuing refunds, and answering taxpayer inquiries," the report noted.
In August, the IRS revealed that it had suffered a data breach in which 334,000 people's personal information was accessed. ®