IRS security is failing taxpayers, senator says

The agency has suffered recent breaches, but Congress shares the blame, Wyden says

The U.S. Internal Revenue Service, the Congress, and private electronic tax-filing vendors aren't doing enough to protect the personal information of taxpayers, senators said Tuesday.

The IRS needs to step up its cyberecurity efforts, said members of the Senate Finance Committee, citing two recent data breaches at the agency, along with 94 open cybersecurity recommendations from the Government Accountability Office.

"Hackers and crooks, including many working for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from U.S. taxpayers," Senator Ron Wyden, an Oregon Democrat, said during a hearing. "In my view, taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them."

Senators noted a breach, discovered last May, in the IRS Get Transcript service, which allows taxpayers to request copies of old tax returns. The breach allowed attackers access to more than 720,000 taxpayer accounts between January 2014 and May 2015, the IRS said.

Last month, the IRS suspended a Web-based service allowing taxpayers to retrieve so-called IP Protection PINs (IP PINs), a six-digit ID number, after security problems with the service. Attackers were able to access the e-file PINs connected to more than 100,000 Social Security numbers in a January attack, the IRS said.

The agency was issuing the PINs using only single-factor authentication, a violation of federal standards, said J. Russell George, inspector general for tax administration in the Department of the Treasury.

After the IRS mailed PINs to the Get Transcript hacking victims, "it repeated its mistake and used lax security online," Wyden said. "For the tax scammers, once again it was as easy as going online, plugging in the personal data you’ve already stolen, and pretending to be somebody who’s lost their IP PIN. So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this."

The IRS breaches are among a growing list of major government breaches. Just this month, the Philippine Commission on the Elections said the personal information of about 70 million people was compromised by hackers. And a hacking group called Cyber Justice Team leaked data from several Syrian government and private websites.

The IRS isn't the only weak link in U.S. taxpayer security, Wyden said. E-file vendors have had their own security problems, he said, and congressional authority allowing the IRS to streamline its cybersecurity hiring process has lapsed. 

The streamlined hiring authority is important, said John Koskinen, the agency's commissioner. Most qualified cybersecurity workers won't wait around for the three- to six-month standard federal hiring process, he said.

The IRS is working hard to improve its cybersecurity, Koskinen added. The agency has gotten more than 2,000 security recommendations from the GAO and the Treasury Department's inspector general in recent years, and it has implemented more than 80 percent of them, he said.

Security of taxpayer information is a "top priority," Koskinen said. IRS systems withstand more than 1 million malicious attempts to access data each day, he added.

But Senator Chuck Grassley, an Iowa Republican, questioned why the IRS hasn't implemented some inexpensive GAO recommendations, like changing the passwords on some of its servers every 90 days or providing online security training to new contractors. 

"Would you agree that these are low-cost changes that could improve computer security?" Grassley asked Koskinen. "Why haven't they been done?"

The IRS is moving away from passwords, which are "somewhat questionable" in terms of providing security, and toward access cards, Koskinen said. "We are working as quickly as we can" to implement other recommendations, he added.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?