IRS missed steps to accurately track outside data breaches, TIGTA reports

The IRS failed to flag compromised personally identifiable information linked to dozens of external data breaches last year and put the tax information of nearly 11,000 people at risk, according to a recent watchdog audit.

From that pool of compromised data, the Treasury Inspector General for Tax Administration (TIGTA) found fraudsters managed to file 79 bogus tax returns with the IRS.

The first problem — TIGTA determined the IRS didn’t keep an accurate inventory of data breaches reported by tax preparers and other entities that handle sensitive information, such as taxpayer identification numbers (TINs).

The IRS’s Return Integrity and Compliance Services (RICS) in 2017 reported a total of 730 external data breaches to its Incident Management Tracker Matrix. However, TIGTA found the agency failed to report 89 data breaches on that internal dashboard.

Advertisement

“Our review identified that necessary actions were not always taken to protect taxpayers associated with all reported data breaches,” TIGTA wrote in its Nov. 19 report.

In 70 of those 89 cases, TIGTA found IRS officials didn’t ask entities disclosing data breaches for a list of the TINs affected by the breach, as required. Moreover, they didn’t take steps to identify those compromised Social Security numbers using the data they had.

“Internal guidelines state that RICS analysts should attempt to create a list of stolen TINs by using information in the external entity’s email that reported the data breach, if appropriate,” TIGTA auditors wrote. “For example, if the entity is a tax return preparer who reports that his or her clients’ TINs were stolen, the employee could create the TIN list by identifying tax returns filed under the tax return preparer’s Preparer Tax Identification Number in the prior filing season. None of these actions were taken by the RICS analysts.”

In 15 of those 89 unreported data breaches, the entity disclosing the breach gave the IRS a list of compromised TINs — about 11,000 Social Security numbers total — but the agency didn’t add those to its Dynamic Selection List, a preventative program that gives legitimate taxpayers an opportunity to authenticate before processing.

Taxpayers linked to 79 of those Social Security numbers had already had already experienced tax return fraud during the 2016 or 2017 tax filing seasons.

Edward Killen, the IRS’s chief privacy officer, told House lawmakers in September that more frequent data breaches make it “fundamentally more difficult” to stop paying out fraudulent tax returns.

The IRS told TIGTA it considers data breaches “one of the top five risks currently facing tax administration,” and has taken steps in recent years to address the problem.

The agency in 2015 convened its first Security Summit — a meeting of tax return preparers, software providers, state tax agencies and financial institutions — and has held annual summits since then.

“Tax return preparers are critical to this partnership, and because of the taxpayer information stored in their systems, they are increasingly a target for data theft,” TIGTA wrote.

In order to stay one step ahead of fraudsters, the IRS continues to release tax tips, alerts, and news releases on its website, and has stood up electronic mailboxes where entities can report data breaches.