How Did Taxpayers' Info Get Hacked at the IRS?

J. Russell George, the Treasury Department inspector general for tax administration, said IRS reports that have not yet been validated indicate a hacker or hackers cleared an authentication process that required knowledge of information about the taxpayer, including Social Security number, date of birth, tax filing status and street address.

“In addition, it appears that these third-parties had access to private personal information that allowed them to correctly answer questions which typically only the taxpayer would know,” George said. “This type of information can be purchased from illicit sources or fee-based databases or obtained from social media sites.”

George noted that the current technology environment has raised taxpayers’ expectations for online customer service interactions and the IRS feels the need to meet those expectations. But the risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering taxpayers self-assisted interactive online tools.

“The proliferation of data breaches reported in recent years and the types of information available on the Internet has resulted in a degradation of controls used to authenticate individuals accessing personal data in some systems,” George said. “The expansion of e-commerce services often conflicts with the tenets of strict security standards.”

Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online, George said, “also creates greater risk to an organization and provides more opportunities for exploitation by hackers and other fraudsters.”

George said the inspector general’s office has identified a number of areas in which the IRS could better protect taxpayer data and improve its overall security posture. As of March, IG audits of IRS systems have resulted in 44 security recommendations that have yet to be implemented. While most of these recommendations are based on recent audits, there are 10 recommendations from five audits that are over three years old.

“The IRS faces the daunting task of protecting its data and IT environment from the ever-changing and rapidly-evolving hacker world,” George said. “This incident provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers who are anonymous, persistent and have access to vast amounts of personal data and knowledge.”

The agency, George said, “needs to be even more vigilant in protecting the confidentiality of sensitive taxpayer information. Otherwise, as shown by this incident, taxpayers can be exposed to the loss of privacy and to financial damages resulting from identity theft or other financial crimes.”

Sen. Orrin Hatch (R-Utah), the committee chairman, told Koskinen that, as a result of the breach, the IRS “has failed these taxpayers.”

“In fact, there is reason to believe the IRS will be more frequently targeted in the future,” Hatch said. “After all, the IRS stores highly sensitive information on each and every American taxpayer, from individual taxpayers to large organizations and from mom and pop businesses to multinational corporations. The challenge of data security matters a great deal to every single taxpayer and will continue to be a central challenge to tax administration in the coming years.”

Data security and the protection of taxpayer information, Hatch added, “is of the highest importance in the prevention of stolen identity refund fraud.”

“Identity theft, and the resulting tax fraud, costs taxpayers billions of dollars every year, and, once it occurs, it can take months or years for a taxpayer to mitigate the damage,” he said.

Sen. Ron Wyden (D-Ore.), the panel’s ranking member, said in his view the conduct of the hackers “fits the definition of organized crime.”

“This is not just a question of resources, and certainly it is not a lack of commitment from the IRS staff,” Wyden said. “It’s also a question of expertise. The era of punch cards and paper forms ended long ago. Federal agencies like the IRS need to tap into the expertise of our leading web firms – the pros who serve not millions or tens of millions, but hundreds of millions of users.”