IRS security is failing taxpayers, senator says

The agency has suffered recent breaches, but Congress shares the blame, Wyden says

The U.S. Internal Revenue Service, the Congress, and private electronic tax-filing vendors aren't doing enough to protect the personal information of taxpayers, senators said Tuesday.

The IRS needs to step up its cyberecurity efforts, said members of the Senate Finance Committee, citing two recent data breaches at the agency, along with 94 open cybersecurity recommendations from the Government Accountability Office.

"Hackers and crooks, including many working for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from U.S. taxpayers," Senator Ron Wyden, an Oregon Democrat, said during a hearing. "In my view, taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them."

Senators noted a breach, discovered last May, in the IRS Get Transcript service, which allows taxpayers to request copies of old tax returns. The breach allowed attackers access to more than 720,000 taxpayer accounts between January 2014 and May 2015, the IRS said.

Last month, the IRS suspended a Web-based service allowing taxpayers to retrieve so-called IP Protection PINs (IP PINs), a six-digit ID number, after security problems with the service. Attackers were able to access the e-file PINs connected to more than 100,000 Social Security numbers in a January attack, the IRS said.

The agency was issuing the PINs using only single-factor authentication, a violation of federal standards, said J. Russell George, inspector general for tax administration in the Department of the Treasury.

After the IRS mailed PINs to the Get Transcript hacking victims, "it repeated its mistake and used lax security online," Wyden said. "For the tax scammers, once again it was as easy as going online, plugging in the personal data you’ve already stolen, and pretending to be somebody who’s lost their IP PIN. So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this."

The IRS breaches are among a growing list of major government breaches. Just this month, the Philippine Commission on the Elections said the personal information of about 70 million people was compromised by hackers. And a hacking group called Cyber Justice Team leaked data from several Syrian government and private websites.

The IRS isn't the only weak link in U.S. taxpayer security, Wyden said. E-file vendors have had their own security problems, he said, and congressional authority allowing the IRS to streamline its cybersecurity hiring process has lapsed. 

The streamlined hiring authority is important, said John Koskinen, the agency's commissioner. Most qualified cybersecurity workers won't wait around for the three- to six-month standard federal hiring process, he said.

The IRS is working hard to improve its cybersecurity, Koskinen added. The agency has gotten more than 2,000 security recommendations from the GAO and the Treasury Department's inspector general in recent years, and it has implemented more than 80 percent of them, he said.

Security of taxpayer information is a "top priority," Koskinen said. IRS systems withstand more than 1 million malicious attempts to access data each day, he added.

But Senator Chuck Grassley, an Iowa Republican, questioned why the IRS hasn't implemented some inexpensive GAO recommendations, like changing the passwords on some of its servers every 90 days or providing online security training to new contractors. 

"Would you agree that these are low-cost changes that could improve computer security?" Grassley asked Koskinen. "Why haven't they been done?"

The IRS is moving away from passwords, which are "somewhat questionable" in terms of providing security, and toward access cards, Koskinen said. "We are working as quickly as we can" to implement other recommendations, he added.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?