IRS still faces security challenges in aftermath of taxpayer data leak
Five years after an IRS contractor began leaking thousands of tax returns to a pair of news organizations, a new watchdog report finds that the agency still has some work to do to ensure the security and privacy of taxpayer data.
The Treasury Inspector General for Tax Administration said in its report that the IRS has taken steps to better protect federal tax information and personally identifiable information of taxpayers since ProPublica and The New York Times published stories in 2020 and 2021 containing data on returns from billionaires including Jeff Bezos, Michael Bloomberg and former President Donald Trump.
Those leaked returns were eventually traced to an IRS contractor named Charles Littlejohn, who earlier this year pleaded guilty to the disclosure of thousands of tax returns without authorization, receiving a five-year prison sentence.
In the aftermath of the leaks and the subsequent reporting, House Ways and Means Committee Chairman Jason Smith, R-Mo., asked TIGTA in February 2023 to assess IRS security protocols and provide briefings to members of the committee.
This report, a result of Smith’s request, identified a handful of challenges the IRS faces while acknowledging the many “corrective actions” the agency has pursued.
Among those challenges is determining which users should be granted access to sensitive IRS systems. The agency is “evaluating steps to improve its ability to safeguard data housed on its sensitive systems,” TIGTA reported, no small task given that more than 86,000 current and former employees and 5,000 contractors were authorized to access at least one of those 276 systems as of July 2023.
The IRS’s procedures to cut off users that no longer need access “were not always working as intended,” the watchdog stated. “Our evaluation identified that not all user accesses are timely removed once they are separated from the IRS.”
The IRS said in response to the issue that it “already takes steps” to strip access from contractors deemed to be lacking a favorable background determination, in addition to noting that it has “fully implemented automated removal of user network access for employees and contractors separated in the IRS personnel system. In addition, the IRS has an ongoing effort to improve processes for the identification and resolution of any separated user accounts that have not been timely purged.”
To further safeguard information, the IRS told TIGTA that it has established a data loss prevention program, which utilizes an automated tool to monitor web traffic and outgoing unencrypted emails from employees and then flag any instances of unencrypted sending of PII. The agency also noted that managers “must periodically recertify that users have a continued need for access to a sensitive system.”
Despite these efforts, TIGTA revealed in the report that from fiscal years 2018 to 2023, it had investigated 1,028 cases that appeared to violate the IRS’s Unauthorized Access, Attempted Access, or Inspection of Taxpayer Records (UNAX) program. Less than 1% of those cases have been accepted for prosecution or are pending a prosecution determination, the watchdog said.
In response to a slew of data security recommendations TIGTA’s Office of Investigations provided to the IRS, the tax agency said it has made moves in that direction, including the categorization of sensitive IRS data, limiting internal sharing of sensitive information, improving audit logging, disabling external storage of data, enhancing encryption methods, and enhancing awareness of data protection responsibilities.
The report noted that TIGTA’s work on this topic is ongoing, with its Office of Audit currently probing contractor employee separations and transfer procedures, data security issues in the IRS’s Research, Applied Analytics, and Statistics division, and controls over the exfiltration of taxpayer data. Those audits are estimated to be finished by no later than September.
