If You Are in Debt, the IRS Might Have Leaked Your Social Security Number

Updated: On April 14, the IRS provided an explanation for the problem. The story has been updated to reflect the agency's comment.

Over the past year, the Internal Revenue Service has tangled with crafty thieves who fooled its systems into spitting out valuable data. Now, the tax agency faces another leaker -- itself. 

The IRS neglected to strip out personal information in publicly viewable agreements between indebted individuals and Uncle Sam on tax reductions, according to a new inspection. 

Specifically, investigators found more than 300 Social Security or Employer Identification numbers visible on such so-called Offers in Compromise. A separate, statistically valid review of 300 records turned up seven erroneous disclosures.

The agreements were available for anyone to peruse at physical IRS offices nationwide, until the Treasury Inspector General for Tax Administration alerted the agency.

The inspector general "provided the IRS with photographs of the redaction omissions and advised management to suspend public inspections until a full review could be completed," Gregory Kutz, acting deputy IG for inspections and evaluations, said in a memo released Tuesday afternoon.  

The leaks partly were because agency personnel, for reasons not explained, printed out final copies of agreements without using the automated redaction feature.

On April 14, after this story was originally published, the IRS provided Nextgov with an emailed explanation: "The IRS commissioner has noted that this was an oversight on our part and we have taken corrective actions to prevent this from happening in the future."

Staff relied on permanent markers or grease pencils, or in some cases printed black bars over the confidential information. 

"Sometimes, the mark-over does not fully conceal the sensitive information," Kutz said. "In other instances, employees overlook sensitive information."

In a written response to a draft inspection, Karen Schiller, commissioner of the IRS small business/self-employed division, said, "Given the rarity of public viewing requests for this information, the risk of exposure is minimal,” adding that "the likelihood of identity theft or other harm was very low." The affected taxpayers were not notified, she said.

The tax agency plans to change the redaction process, however. One possibility would be funneling the files through an internal system controlled by “a gatekeeper” who would check redactions a second time, Schiller said.

In addition, IRS computer programmers are developing software that would print only specific data required to be public.

Breaches of confidentiality in agreements like these have persisted for more than half a decade. This review only looked at casework between August 2014 and July 31, 2015. 

In 2010, 27 percent of files contained redaction errors, and the IRS Privacy, Governmental Liaison and Disclosure office “distributed the results to all responsible IRS functions” at the time, Kutz said.

A follow-up report in October 2015 found oversights in 29 percent of cases. 

The Transportation Security Administration also has shared too much information in the past – and used technology to caulk leaks.

In 2009, TSA released an entire secret manual with instructions on what types of people should be pulled aside for secondary screening, how to fix metal detectors and other information terrorists might like to know. The goof led to the invention of a redaction tool that automates what was then a 15-step process for removing sensitive information from public documents.

This is the fourth time in the past year the IRS has yanked taxpayer services because of information security foibles.

Last month, the tax agency unplugged a website for ordering "Identity Protection PINs" or IP PINs, which are intended to help identity theft victims stop fraudsters from claiming refunds under their names. 

Criminals had been entering valid answers to security questions (which are easy to guess or find online) to trick the system into delivering them the special codes. By the agency's count, 800 IP PINs were stolen through February. 

The same kind of security flaw prompted the IRS last spring to pull offline its "Get Transcript" tool -- but not before scammers typed in personal information (stolen from elsewhere) to access financial data on 700,000 taxpayers. 

Then, in February, the IRS disclosed a "bot," essentially an automated malicious program, entered Social Security numbers (again, stolen elsewhere) into a system that generates so-called e-file PINs. E-file PINs are required if you are missing other acceptable types of identification such as your adjusted gross income. The malware successfully picked up 101,000 e-file PINs.

Now, tax swindlers don't even need to steal so much personal information. The IRS apparently is giving it away for free.