Watchdog flags security issues with IRS-ICE data-sharing agreement
An IRS watchdog added a new wrinkle this week to ongoing examinations of the agency’s data-sharing agreement with Immigration and Customs Enforcement, revealing shortcomings in how tax information was protected.
According to a partially redacted report released Monday by the Treasury Inspector General for Tax Administration, ICE did not meet safeguarding standards before it signed the April 2025 memorandum of understanding with the IRS.
The signing of that MOU triggered the acting IRS commissioner’s departure from the agency and a pair of lawsuits: Centro De Trabajadores Unidos v. Bessent and Center for Taxpayer Rights v. IRS. TIGTA noted that its review focused on the processes and controls the IRS followed as part of the pact, rather than the legality of the MOU itself.
The watchdog detailed some data-sharing specifics unearthed in court documents, specifically in sworn testimony from the IRS’s chief operating officer. TIGTA’s evaluation covered the automated process deployed by the tax agency to match ICE data with its own records.
That process played out in a June 2025 request from ICE for more than 1.2 million IRS records. In response to that request, the IRS shared with ICE the last known address information for roughly 47,000 people. A federal judge said in a February court filing that the IRS broke federal law “approximately 42,695 times,” referring to the number of taxpayer addresses it ultimately disclosed to ICE via its Taxpayer Identification Number Matching.
TIGTA’s report touched on that issue, writing that the IRS was “unable to accurately and consistently match ICE records” due to “the lack of uniformity in the formatting of ICE data.”
“Additionally, slight variations in the name and address fields resulted in the IRS not providing last known address information to ICE for certain cases that may have been a match,” the report said.
Prior to sending federal tax information (FTI) to other agencies, the IRS conducts a safeguard review. According to TIGTA, the IRS had an existing agreement with the Department of Justice to share FTI that was “subsequently redisclosed to ICE.”
“Because of this arrangement,” the watchdog continued, “the IRS completed a review and issued [a Safeguard Review Report] on ICE’s safeguards used to protect the confidentiality of federal tax returns and return information furnished by the IRS in November 2023.”
TIGTA said there were a number of findings that “remained open at the time of the data transfer,” though it redacted the specific figure. And the Treasury IG also found that ICE didn’t submit a Corrective Action Plan “to document actions, taken or planned, to address those findings prior to signing the current data-sharing agreement in April 2025.”
By July 2025, ICE provided the IRS with information on its documented actions, but the Department of Homeland Security component “provided no implementation date for when these actions would be completed,” per the report.
“Additionally, in its July 2025 response ICE stated that it has and will continue to advise staff not to receive FTI directly,” TIGTA wrote. “Instead, staff are instructed to view FTI through the U.S. Attorney’s Offices or by inviting an IRS-Criminal Investigation agent to work their investigation jointly. Since no additional information has been shared, we were unable to verify this process.”
The watchdog did not make any recommendations to the IRS based on its findings, but it does plan to share its concerns about the data-sharing security issues it flagged with DHS’s Office of Inspector General.
“We previously reported that IRS data repositories are complex, voluminous, and fragmented, presenting unique challenges for developers working to establish accurate and secure datasharing agreements,” the Treasury IG concluded. “In addition, highly sensitive taxpayer data must always be secure.
“Without assurance that findings have been mitigated, there is a potential risk that ICE could fail to properly safeguard taxpayer data received from the IRS under the data-sharing agreement.”
