IRS’ Outdated App Security Leaves Taxpayers at Risk of Identity Theft, Watchdog Says

Natasa Adzic/

The agency is updating identity verification controls for its suite of web applications, but the effort won’t be wrapped up until 2023.

The IRS is nearly a year behind on rolling out online security measures meant to prevent identity thieves from improperly accessing taxpayer data, according to an internal watchdog.

The agency operates a full suite of web applications where the public can pay taxes, review documents and access numerous tax-related services, but many of the programs lack the latest electronic authentication controls, the Treasury Inspector General for Tax Administration said in a recent report.

Identity authentication protocols help guarantee that people logging into the apps are who they claim to be, and if they’re not strong enough, taxpayers risk having their information stolen.

“Because these applications collect, process, and store large amounts of taxpayer data, the IRS has become a target of criminals and identity thieves,” TIGTA wrote in the report. “Strong electronic authentication controls are needed to prevent identity thieves from succeeding at impersonating taxpayers and gaining improper access to tax records.”

While auditors found the agency had put in place security controls for its most sensitive applications—and sufficiently justified why it hadn’t done so for the others—TIGTA said the protections were largely outdated. The National Institute of Standards and Technology updated its framework for digital identity verification in 2017, and the IRS’ existing controls were based on the institute’s 2013 framework.

The Office of Management and Budget gives agencies one year to update systems to meet new NIST standards, but after nearly two years, IRS has yet to upgrade a single application.

“Without full implementation of [the new standards], the IRS increases the risk of using inappropriate authentication controls, which could allow unauthorized access and activities, compromised taxpayer records, and revenue lost due to identity theft refund fraud,” auditors said.

TIGTA recommended the IRS update its apps to the latest standards and create an implementation plan with specific timelines for getting the systems in check. While IRS officials told auditors they had already started testing new security protocols, they had not drafted an official implementation plan.

Auditors also took issue with the agency’s proposed timeline, which drags out the implementation effort through February 2023.