IRS Risks Data Breach Repeat While Expanding Online ServicesRichard Rubin
The IRS’s initiative to expand online services for taxpayers makes it more likely that the U.S. tax agency will be hit by “hackers and other fraudsters,” the agency’s inspector general said Tuesday.
One of the Internal Revenue Service’s early forays into interactive service was halted last month after the agency said identity thieves had accessed past tax returns of 104,000 people.
The IRS provided updated numbers Tuesday, showing that about 13,000 fake tax returns have been filed using that information, with an estimated loss of $39 million to the government.
Though the data breach didn’t compromise the IRS’s core systems, it marked a significant setback for the agency’s efforts to cut costs and mimic financial services companies.
“Even security controls that may have been adequate in the past can be overcome by hackers, who are anonymous, persistent and have access to vast amounts of personal data and knowledge,” Russell George, the inspector general, told the Senate Finance Committee during a hearing on Tuesday.
The data breach involved a “get transcript” function on the IRS’s website. Taxpayers had to submit personal information, such as their Social Security number, date of birth and tax filing status. Then they had to authenticate that information with so-called out-of-wallet information, such as their monthly mortgage or car payment, according to IRS Commissioner John Koskinen.
Past tax returns are especially valuable to identity thieves because they allow them to create plausible fake tax returns that mimic a real return, evade computerized anti-fraud filters and then direct the refund to a prepaid debit card.
The identity thieves, who George said used Internet domains in Russia and other countries, were able to bypass the safeguards repeatedly and the IRS stopped the application on May 21. Several agencies are investigating the incident and the IRS is contacting the affected taxpayers.
“Your agency has failed these taxpayers,” Senate Finance Committee Chairman Orrin Hatch, a Utah Republican, said to Koskinen.
Not all 104,000 thefts led to fake tax returns because some of the legitimate taxpayers had already filed returns or because IRS computers rejected the returns as suspicious.
“The IRS is not and will never be exempted from this constant threat,” Hatch said. “In fact, there is reason to believe the IRS will be more frequently targeted in the future.”
The most recent data breach is a fraction of the identity theft problem facing the IRS. According to George’s testimony, the IRS lost more than $5 billion to refund fraud in 2013.
George’s prepared testimony questioned the IRS’s data-security efforts and said the agency hasn’t implemented 44 recommendations from his office. For example, he said the agency could do a better job terminating unused accounts and limiting shared accounts.
If the IRS had implemented those recommendations, it would have been more difficult for thieves to enter the system. He stopped short of saying the breach could have been prevented.
Data security is especially important, George said, as the IRS expands its online efforts. According to George’s statement, the IRS is planning a secure messaging pilot program in 2016 “that will lay the foundation for a broader taxpayer digital communication rollout in the future.”
Congress has been cutting the IRS budget, and Koskinen has pitched expanded online services as a way the agency can conserve resources and serve taxpayers.
In addition to asking for more money, Koskinen said Congress could expand the agency’s ability to hire well-paid technology workers and accelerate the deadlines for employers and others to file information returns that can be used to check against filed tax returns.
The get-transcript application served 23 million taxpayers this year and the agency would have been “much less efficient” without it, Koskinen said. IRS call centers and walk-in offices were jammed during the 2015 tax filing season.
In his testimony Tuesday, Koskinen showed few signs of veering from that path.
“We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online,” Koskinen said in his written statement. “The challenge will always be to keep up with, if not get ahead of, our enemies in this area.”