IRS still faces security problems after taxpayer data leak

Five years after an IRS contractor began leaking thousands of tax returns to two news organizations, a new oversight report finds the agency still has work to do to ensure the security and privacy of taxpayer data.

The Treasury Department's Inspector General of Tax Administration said in his report that the IRS has taken steps to better protect federal tax information and taxpayers' personal data since ProPublica and the New York Times published articles in 2020 and 2021 that included data on the tax returns of billionaires such as Jeff Bezos, Michael Bloomberg and former President Donald Trump.

The leaked tax returns were eventually traced to an IRS contractor named Charles Littlejohn, who pleaded guilty earlier this year to disclosing thousands of tax returns without authorization and received a five-year prison sentence.

Following the leaks and subsequent reporting, House Budget Committee Chairman Jason Smith (R-Mo.) asked TIGTA in February 2023 to evaluate the IRS's security protocols and brief committee members.

That report, prepared at Smith's request, identified a number of challenges facing the IRS but also acknowledged the numerous “corrective actions” the agency has taken.

Among those challenges is deciding which users to grant access to sensitive IRS systems. The agency is “exploring measures to improve its ability to protect the data stored on its sensitive systems,” TIGTA reported. That's no small task considering that as of July 2023, more than 86,000 current and former employees and 5,000 contractors were authorized to access at least one of those 276 systems.

The IRS's procedures for locking out users who no longer need access “did not always work as intended,” the regulator said. “Our evaluation found that not all user accounts are locked out in a timely manner once they are disconnected from the IRS.”

In response to the issue, the IRS said it is “already taking steps” to remove access from contractors who lack a positive background assessment, and noted that it has “fully implemented the automatic removal of network access for employees and contractors who are segregated in the IRS's human resources system. In addition, the IRS is making ongoing efforts to improve the processes for identifying and resolving all segregated user accounts that are not timely deleted.”

To further protect information, the IRS told TIGTA that it has established a data loss prevention program that uses an automated tool to monitor employees' web traffic and outgoing unencrypted email and flags any instances of unencrypted transmission of PII. The agency also noted that managers must “periodically reconfirm that users still need access to a sensitive system.”

Despite these efforts, TIGTA said in the report that it investigated 1,028 cases that appeared to violate the IRS's Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) program during fiscal years 2018 through 2023. Less than 1% of those cases have been approved for prosecution or are awaiting a prosecution decision, the regulator said.

In response to a series of data security recommendations made to the IRS by TIGTA's Office of Investigations, the tax agency said it has taken steps in that direction, including categorizing sensitive IRS data, limiting internal sharing of sensitive information, improving audit logging, disabling external data storage, improving encryption methods, and increasing awareness of data privacy responsibilities.

The report noted that TIGTA's work on this issue is ongoing. The Office of Audit is currently investigating termination and transfer procedures for contract employees, data security issues in the IRS's Division of Research, Applied Analytics, and Statistics, and controls on the exfiltration of taxpayer data. These audits are expected to be completed no later than September.