IRS left sensitive taxpayer info vulnerable to leaks, Inspector General finds
IRS commissioner said the agency had improved many systems to protect data after an employee leaked Trump's and other wealthy taxpayers' data
Sensitive taxpayer information is vulnerable to access and removal because of poor Internal Revenue Service security, determined an inspector general investigation prompted by a recent leak scandal involving former President Trump's tax returns.
Under the lack of controls, former IRS employees, as well as employees of private contractors, can gain access to sensitive financial information of taxpayers, according to the investigation by the Treasury Inspector General for Tax Administration. IRS management disputes some of the conclusions.
"However, the fact remains that for some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users," the TIGTA report says.
IRS MOVE COULD CARRY HEFTY COST FOR SOME TAXPAYERS
The report found that even contractors with unfavorable background checks had access to sensitive information, and says, "The IRS should have suspended or disabled these contractors’ access until a favorable determination was on file."
The investigation was launched after former IRS contractor Charles Littlejohn leaked the tax information of Trump and thousands of other mostly wealthy taxpayers to media outlets. After pleading guilty in October, Littlejohn was sentenced to five years in prison last month.
"Alarm bells should have set off at the IRS when it was discovered that an IRS contractor stole and leaked thousands of individuals’ tax returns, including President Trump’s," House Ways and Means Chairman Jason Smith, R-Mo., said in a public statement. "Instead, it looks like the agency has done very little in response. The IRS has absolutely no excuse for the failure to protect confidential taxpayer information."
IRS Commissioner Daniel Werfel testified before the Ways and Means Committee on Thursday.
IRS WAIVING $1 BILLION IN PENALTY TAXES, WILL KICK OFF 2024 TAX SEASON ON JAN. 29
While the Littlejohn case is closed, former employees and contractors still have access to sensitive records despite their background checks, the inspector general found.
The report says 279 users in the Business Entitlement Access Request System, also known as BEARS, were listed as separated from the IRS as of last July but still have access to sensitive IRS data.
"As of July 2023, our analysis of BEARS data identified 153,120 users who currently have or had access to an IRS information technology system, of which 13,321 are contractors," the inspector general report says. "Further, of these 153,120 users, 91,661 have or had access to one or more of the 276 sensitive systems included in our evaluation."
At least 19 contractors had unfavorable background investigations but still kept access to at least one of the IRS systems with sensitive data, according to the report.
"Of the 5,068 users listed in BEARS as a contractor, 19 contractors’ most recent background investigations were not favorable as of July 13, 2023," the inspector general’s report found. "These contractors still retained their access to one or more sensitive systems because the IRS did not take action to suspend or disable the contractors from the IRS’s systems as required."
IRS ISSUES WARNING ABOUT EMERGING TAX SEASON SCAMS
The report says that in November 2023, the IRS "disabled network access for eight of the 19 contractors," adding, "11 contractors who did not have a favorable background investigation as of July 13, 2023, subsequently received a favorable determination."
"However, the fact remains that the IRS should have suspended or disabled these contractors’ access until a favorable determination was on file," the report says.
An IRS spokesperson did not respond to inquiries for this story. But in a response included in the report, Melanie R. Krause, IRS acting deputy commissioner for operations support, disputed several findings.
"The IRS already takes steps to remove access when a contractor is identified as not having a favorable background determination," Krause wrote in a response to the draft report. "Specifically, IRS security specialists notify the contracting officer’s representative (COR) of receipt of the unfavorable background determination and explicitly instruct the COR to suspend or separate the contractor in the personnel system, which triggers automatic removal."
Krause agreed with some of TIGTA’s security recommendations and argued that the agency is already improving.
"Collectively, the IRS’s security improvements have made the tax system more effective, efficient, and secure as we adapt and respond to the many evolving threats to taxpayer data and the trillions of dollars that flow through the IRS each year," she wrote.
However, during tax-filing season, Rep. David Schweikert, R-Ariz., the chairman of the House Ways and Means oversight subcommittee, called for the agency to improve guardrails.
IRS TO START SIMPLIFYING NOTICES TO TAXPAYERS THIS YEAR
"For the federal tax system to work, taxpayers must be confident that their private taxpayer information is safe and protected," Schweikert said in a statement. "The IRS clearly failed to put in place adequate safety measures to prevent the leaking of thousands of individuals’ tax returns, and it appears the agency still hasn’t learned its lesson. The last thing taxpayers need is one more excuse not to file."
Werfel, in testimony to the House Ways and Means Committee Thursday, said the IRS has "taken a bunch of actions" to protect taxpayer data and secure IRS systems, including more robust encryption, eliminating more removable media, and tighter printer and email controls.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
TIGTA identified hundreds of systems in the IRS that had sensitive data that didn't have the appropriate audit trails, but Werfel said within days of starting as commissioner he sought to improve the protections.
"Those have now been done. We shared that with TIGTA, but TIGTA didn't have sufficient time to validate that we did everything we said we did."