IRS Failed to Track 11,000 Breached Social Security Numbers for Tax Fraud

The IRS failed to add more than 11,000 compromised Social Security numbers to a list it uses to help protect taxpayers from identity theft, according to an audit this month from the Treasury Department’s internal watchdog.

Fraudsters used 79 of those Social Security numbers to file phony tax returns in an effort to receive ill-gotten refunds during the 2016 and 2017 tax years, Treasury’s inspector general found.

The report focused primarily on an IRS program that collects information about third-party data breaches and tries to prevent the victims of those breaches from being victimized again when tax time rolls around.

The tax agency’s Return Integrity and Compliance Services division recorded 730 of those third-party breaches during 2017 but failed to record 89 of them or to monitor the breach victims for phony returns, auditors found.

In the case of 70 of those 89 breaches, the division was alerted about the breach but never asked the breached organization to provide victims’ Social Security numbers or other taxpayer ID numbers so IRS could monitor them.

For 15 other breaches, the breached organization passed along the ID numbers, but IRS never entered them into its Incident Management Tracker Matrix, the report states.

In four cases, the breached organization refused to share breached information, but when that happens, the Return Integrity division is supposed to try to compile that information on its own, the auditors said.

For example, if a tax preparer reports a breach of its client database, the division could create a list of likely victims by identifying tax filers who used that preparer in previous tax years, the audit states.

The Return Integrity division failed to record those breaches primarily because management hadn’t developed a process to monitor which breached organizations had provided victim ID lists and which ones hadn’t, the audit states.

Separately, the auditors found numerous cases in which the Return Integrity division received Social Security numbers and other ID numbers from a breached organization but seemingly didn’t review some of those IDs to determine whether they should be monitored for fraud.

Upon the auditors’ recommendation, the division reviewed all the taxpayer IDs it had received and found 15,143 that it hadn’t reviewed for fraud monitoring, the report states.

IRS reviewed those IDs and assigned them for fraud monitoring where appropriate, auditors said.

The auditors recommended that IRS updated its tracker to include information from the 89 breaches and the agency agreed.

IRS also agreed with the auditors’ recommendation to develop procedures to better ensure it doesn’t fail to record future data breaches.

The IRS considers data breach-related fraud one of the top five challenges facing tax administration, according to the report.