IRS identity theft trackers overlooked data breaches, report says

An IRS office tasked with monitoring identity theft and bogus tax returns overlooked critical information related to several external data breaches, a new report has found.

The Treasury Inspector General for Tax Administration detailed in a Nov. 14 report how the IRS’s Return Integrity and Compliance Services (RICS) organization — which oversees efforts to assist tax preparers in identifying and mitigating data breaches on their networks to prevent identity theft — didn’t record and monitor some 89 external data breaches reported to it in 2017.

The 89 incidents represent 17 percent of the breaches identified in the report, but they potentially affect the information of thousands of taxpayers.

The RICS organization provides email addresses for tax preparers and payroll service providers to alert the IRS when they have experienced a data breach that has exposed a taxpayer’s personally identifiable information or if the preparers are receiving potential phishing emails.

If a breach occurs, the IRS stakeholder liaison then coordinates with the tax preparers or payroll providers who have been breached to gather information about those affected — such as names, Social Security Numbers and Employer Identification Numbers for breaches impacting business taxpayers.

The stakeholder liaison then feeds the information to the RICS organization, which monitors it against possible fraudulent returns and other criminal activity through its Incident Management Tracker Matrix data system.

RICS then assigns a risk assessment score based on what taxpayer information has been compromised, including Taxpayer Identification Numbers (TINs), in conjunction with the PII exposed.

But the report found that 89 of the 527 reported breaches analyzed were not recorded or monitored by RICS analysts. The TIGTA report notes in the case of 70 of the breaches, analysts didn’t request a list of the TINs stolen and didn’t note whether they were able to obtain the numbers or not.

RICS analysts failed to record 15 of the breaches at all, leaving more than 11,000 affected Social Security Numbers off the agency’s Ultra High Dynamic Selection List, which allows affected taxpayers to authenticate their tax returns.

In the remaining four breaches, tax preparers denied RICS analysts a list of the affected TINs. However, the report says that the analysts failed to note that they were unable to secure the numbers or whether they tried to obtain them from taxpayer files.

In the report, TIGTA said the breaches were largely overlooked because the system used to track them didn’t include the functionality needed to note when TINs weren’t provided or whether analysts were unable to discover them, despite the IRS having policy procedures for both situations.

“The omission of the 89 data breaches from the Incident Management Tracker Matrix occurred primarily because RICS organization management did not establish a reconciliation process to ensure that analysts record all data breaches received,” the report said. “In addition, management does not have a process to monitor the receipt of a TIN list or to ensure that when this list is not received RICS analysts attempt to create a list.”

The report also found 105 breaches where RICS analysts failed to add TINs to the Dynamic Selection List. TIGTA officials said that RICS analysts may have left more than 28,000 TINs involved in breaches off the DSL. TIGTA officials later reduced that number to 27,270, but redacted their reasoning, and confirmed that 185 TINs were not on the list that should have been.

Another 2,976 TINs that scored from Ultra High to Medium High on risk assessments were not filtered to detect possible fraudulent returns.

TIGTA officials offered four recommendations:

• Record the 89 data breaches on the Incident Management Tracker Matrix Record, calculate an incident risk assessment score for each and apply appropriate treatments
• Develop processes to ensure all breaches are added to the Incident Management Tracker Matrix Record
• Research the 27,270 TINs and the 2,976 TINS we identified as potentially not being on the DSL to determine if they were previously added, and for those not added, include them on the DSL
• Add the 185 TINs that we identified to the DSL to allow detection of potential identity theft returns filed using the TINs

IRS officials said they agreed with all recommendations and had taken steps to implement them.