IRS working to improve data security after major tax return leak

The IRS' inspector general says protecting taxpayer data continues to be a major challenge for the agency, as it struggle with several key cybersecurity areas.

IRS officials say they’re taking steps to shore up the security of internal systems and data after a contractor leaked sensitive information on thousands of taxpayers. But the IRS’ watchdog has determined the agency’s cybersecurity approach in several areas is “not effective,” potentially putting further taxpayer data at risk.

In an Aug. 14 memo, the Treasury Inspector General for Tax Administration (TIGTA) reviews how the IRS manages and safeguards sensitive taxpayer data.

“The protection of [federal taxpayer information] and [personally identifiable information] has been a long-term challenge for the IRS, and while the IRS continues to make improvements to its controls over the security and privacy of taxpayer data, additional actions are needed,” TIGTA wrote in the review.

The memo comes after House Ways and Means Committee Chairman Jason Smith (R-Mo.) had requested more information from the IG on its investigation into a recent leak of taxpayer data, including former President Donald Trump’s tax returns. An ex-IRS contractor pleaded guilty to stealing information on thousands of wealthy Americans between 2018 and 2020. In January, he was sentenced to five years in prison in January.

The IRS’s Unauthorized Access, Attempted Access, or Inspection of Taxpayer Records (UNAX) program identifies when employees inappropriately access taxpayer data. According to TIGTA , there were 1,028 UNAX violations between fiscal 2018 and 2023.

While 62 percent of the cases were referred for prosecution, only six of those cases were accepted for prosecution or are pending a prosecution determination. UNAX violations are typically referred to U.S. attorneys general offices. TIGTA noted that each office has its own criteria for determining whether to pursue prosecution.

“In addition, while working on UNAX violation cases, TIGTA’s Office of Investigations has encountered several challenges such as an individual moving protected data to a location where access cannot be regulated and tracked, technological limits to identifying sensitive data by the data structure alone, individualized encryption and storage scenarios restricting the access of investigators, and the use of personal or non-IRS e-mail to transmit sensitive information,” the memo states.

In response to the review, IRS officials told TIGTA that the agency “continues to modernize and enhance its data security protections.”

For instance, the IRS’s Privacy, Governmental Liaison and Disclosure division is leading an “enterprise-wide effort” to categorize and label data according to its sensitivity. “Leveraging this categorization, the IRS has configured its software products to enable assignment of these sensitivity labels to improve controls for the storing and sharing of documents containing sensitive information,” the TIGTA review states.

The IRS also told TIGTA that it has deployed new identity systems to ensure employees only access sensitive information with a “need to know.”  The systems, recommended by the Department of Homeland Security, rely on role-based access decisions and the principle of “least privilege.”

IRS officials also said they are taking steps to improve security audit logging. A new “Enterprise Security Audit Trails” capability gives the IRS a “centralized repository and enhanced tools to manage and analyze internal and external attempts to access sensitive data and identify potential anomalous activity.”

The IRS told auditors it has also “disabled the use” of external storage devices, like thumb drives. The agency said it has also improved email controls, “including new restrictions on the ability to e-mail information outside the IRS, while preserving but closely monitoring this ability when necessary for collaborating with non-IRS employees.”

Additionally, the agency said it now secures data with encryption. In 2023, the IRS also instituted mandatory security training for all contractors.

In the memo, TIGTA noted it has not yet been able to verify the “veracity” of the IRS’s responses. But the IG said it will review many of those efforts under its 2025 audit plan.

The memo also noted how TIGTA is finalizing several audits related to IRS data security. By the end of this month, the IG plans to complete an audit on the security of a major IRS taxpayer data repository. And in September, TIGTA is preparing to issue a report on the agency’s “controls over the exfiltration of taxpayer data.”

IRS cybersecurity approach ‘not effective’

Meanwhile, in a separate annual evaluation of the effectiveness of the IRS’s cybersecurity program, TIGTA found multiple facets of the agency’s cyber approach were “not effective.” The July 29 report found the IRS was lacking in key areas, including supply chain risk management, identity security, and continuous monitoring.

“The IRS continues to be not effective in the same program areas,” the report states, adding that the agency “could improve on maintaining a comprehensive and accurate inventory of its information systems; tracking and reporting on an up-to-date inventory of hardware and software assets; implementing flaw remediation on a timely basis; encrypting to protect data at rest; and implementing multifactor authentication on its systems and facilities.”

The review measures the agency’s compliance with the Federal Information Security Modernization Act (FISMA). While the IRS had made progress on several areas in 2023, TIGTA found the IRS lacking in key areas such as the full deployment of multifactor authentication across its systems.

“Without a security program in compliance with FISMA requirements, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure,” TIGTA auditors wrote.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more