IRS’ Rush to Secure Exposed Taxpayer Data Left It Vulnerable Again

J. David Ake/AP File Photo

Personal information about more than 350,000 taxpayers was compromised in 2015. Three years later, it’s still not secure.

In its rush to respond to a 2015 crisis that allowed scammers to access the personal information of more than 350,000 taxpayers, the Internal Revenue Service skipped required security plan updates and risk assessments.

That haste may have left the already compromised taxpayer data vulnerable for years to come, according to an audit released Thursday.  

The 2015 crisis was spawned by weaknesses in the identity verification process for the IRS’ “Get Transcript” feature.

Because the verification process wasn’t rigorous enough, scammers were able to use taxpayers’ personal information gathered from other sources, including data breaches, to get copies of their tax records and all the personal information they contained.

The fraudsters could then use that data to file phony tax returns and steal refunds or for other nefarious purposes.

IRS officials shut down the Get Transcript feature after they discovered the vulnerability. They also moved Get Transcript application logs—including taxpayers’ personal information—to the agency’s Cybersecurity Data Warehouse in Memphis where a team of 16 digital fraud analysts could comb through the data to spot instances of fraud.

The IRS didn’t follow its own processes for ensuring taxpayer data would be safe inside the data warehouse, however, and didn’t document all the changes it made, according to the report from the Treasury Inspector General for Tax Administration.

The move happened with such haste, in fact, that the top authorizing official for the suite of IRS technology systems that includes the Cybersecurity Data Warehouse didn’t even know that taxpayers’ personal information had been transferred there, the report said.

That official only learned about the transfer from auditors, the report states.

“If appropriate officials are not aware that [personally identifiable information] has been transferred into a system that was not originally designed to protect PII, they cannot adequately protect that data or take steps to prioritize necessary resources to appropriately manage the system from a security and risk perspective,” the audit states.

IRS officials told auditors they were in a hurry to transfer the taxpayer data so they could prevent additional fraud “and therefore did not prioritize system documentation.”

Two years later, however, the agency still has not completed some of that documentation and some security controls “remain weak,” the auditor said.

The IRS did follow proper procedures to ensure the physical security of the Memphis building where the taxpayer data is stored and to control which employees can access it, the report said.

When the audit began, however, IRS was not tracking what those employees were doing inside the system, auditors said. That means the agency might not have caught an employee who improperly removed taxpayer data—either accidentally or maliciously.

IRS installed a tool to track the fraud analysts who access the taxpayer data during the course of the audit, but there’s still no process for how and when the agency will review that tracking data, auditors said.

Who’s Accountable

IRS officials tangled with auditors over a key recommendation of the report—that IRS employees should be “held accountable for not following established change management policies and procedures” and for putting taxpayers’ data at risk.

The phrase echoes language in a 2017 cybersecurity executive order from the Trump administration, which promised top agency officials would be held accountable for data breaches and poor security practices.

The IRS argued “this was not an issue of holding employees accountable,” according to the report, because the data warehouses' protections already met standards for storing taxpayers’ personal information, even though that information wasn’t previously stored there.

Auditors didn’t buy that explanation, noting that “by not notifying the authorizing official and completing the required tasks, the IRS employees introduced new security weaknesses and risk to the [data warehouse]."