IRS works to improve data security after major tax return leak

IRS officials say they are taking steps to improve the security of internal systems and data after a contractor leaked confidential information about thousands of taxpayers. But the IRS regulator has found the agency's cybersecurity approach is “not effective” in several areas and may put more taxpayer data at risk.

In an August 14 memo, the Treasury Inspector General for Tax Administration (TIGTA) reviews how the IRS manages and protects sensitive taxpayer data.

“The protection of [federal taxpayer information] And [personally identifiable information] is a long-term challenge for the IRS, and while the IRS continues to improve its controls over the security and privacy of taxpayer data, additional actions are needed,” TIGTA wrote in the review.

The memo comes after House Budget Committee Chairman Jason Smith (R-Mo.) asked the inspector general for more information on his investigation into a recent data breach of taxpayers, including former President Donald Trump's tax returns. A former IRS employee pleaded guilty to stealing information on thousands of wealthy Americans between 2018 and 2020. He was sentenced to five years in prison in January.

The IRS's Unauthorized Access, Attempted Access, or Inspection of Taxpayer Records (UNAX) program detects when employees access taxpayer records without authorization. According to TIGTA, there were 1,028 UNAX violations between fiscal years 2018 and 2023.

While 62 percent of cases were referred for prosecution, only six of those cases have been approved for prosecution or are awaiting a prosecution decision. UNAX violations are typically referred to the U.S. Attorneys General. TIGTA noted that each office has its own criteria for determining whether to prosecute.

“In addition, TIGTA's Bureau of Investigation has encountered several challenges in working on UNAX violation cases, including the fact that an individual moves protected data to a location where access cannot be regulated and tracked, technological limitations in identifying sensitive data based on data structure alone, unique encryption and storage scenarios limiting investigators' access, and sensitive information being transmitted via personal or non-IRS email addresses,” the memo said.

In response to the review, IRS officials told TIGTA that the agency “continues to modernize and enhance its privacy protections.”

For example, the IRS's Privacy, Government Relations, and Disclosure Division is conducting an “enterprise-wide effort” to categorize and label data according to its sensitivity. “Based on this categorization, the IRS has configured its software products to allow these sensitivity labels to be assigned to enhance controls over the storage and sharing of documents containing sensitive information,” the TIGTA review states.

The IRS also told TIGTA that it has implemented new identity systems to ensure that employees only access sensitive information when they have a “need to know” requirement. The systems, recommended by the Department of Homeland Security, are based on role-based access decisions and the principle of “least privilege.”

IRS officials also said they are taking steps to improve security audit logging. A new “Enterprise Security Audit Trails” feature gives the IRS a “central repository and enhanced tools to manage and analyze internal and external attempts to access confidential data and identify potential anomalous activity.”

The IRS told auditors it had also “disabled” the use of external storage devices such as USB flash drives. The agency said it had also enhanced email controls, “including new restrictions on the ability to email information outside of the IRS. This ability will remain, but will be closely monitored to work with non-IRS personnel as needed.”

In addition, the agency said it now protects data through encryption. In 2023, the IRS also introduced mandatory security training for all contractors.

In the memo, TIGTA noted that it had not yet been able to verify the “credibility” of the IRS's responses. But the IG said it would review many of these efforts as part of its 2025 audit plan.

The memo also noted that TIGTA is completing several audits related to IRS data security. By the end of this month, the IG plans to complete an audit of the security of a large IRS taxpayer data repository. And in September, TIGTA is preparing to release a report on the agency's “controls over the exfiltration of taxpayer data.”

IRS cybersecurity approach ‘not effective’

Meanwhile, in a separate annual assessment of the effectiveness of the IRS's cybersecurity program, TIGTA found that several aspects of the agency's cyber approach were “not effective.” The July 29 report found the IRS lacks in key areas, including supply chain risk management, identity security and continuous monitoring.

“The IRS continues to be ineffective in the same program areas,” the report said. The agency could also “improve its comprehensive and accurate inventory of its information systems, track and report a current inventory of its hardware and software assets, implement bug fixes in a timely manner, encrypt data at rest, and implement multifactor authentication in its systems and facilities.”

The review measures the agency's compliance with the Federal Information Security Modernization Act (FISMA). While the IRS made progress in several areas in 2023, TIGTA found that the IRS lacked compliance in key areas, such as fully implementing multifactor authentication across all systems.

“Without a security program that complies with FISMA requirements, taxpayer data could be subject to inappropriate and undetected use, alteration, or disclosure,” TIGTA auditors wrote.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users in the European Economic Area.