By expanding its online services, the IRS is putting taxpayers' data at greater risk, the Treasury Inspector General for Tax Administration told Congress on June 2.
"Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online . . . provides more opportunities for exploitation by hackers and other fraudsters," warned Russell George in testimony before the Senate Finance Committee.
George and IRS Commissioner John Koskinen testified before the committee, which is charged with oversight of the IRS, about the recent revelation that cybercriminals had breached the security protocols of the Get Transcript online application, a service for taxpayers to obtain prior-year tax returns for various purposes such as loans and student financial aid.
According to Koskinen, the cybercriminals overcame a multistep authentication process that required the taxpayer's Social Security number, date of birth, tax filing status, and home address. They also had to answer what the IRS calls several "out-of-wallet" questions (i.e., knowledge-based authentication questions) that only the taxpayer would normally know, such as the amount of a monthly home or car payment. Because the cybercriminals had this other information, Koskinen explained that the IRS believes that it was dealing with sophisticated organized crime syndicates.
In his testimony, however, George noted that the proliferation of data breaches, the amount of information freely available on the internet, and the expansion of e-commerce have combined to make knowledge-based authentication less secure.
According to Koskinen, since the data breach, about 13,000 questionable returns were filed for tax year 2014 for which the IRS issued refunds totaling about $39 million (average of $3,000 per return). The IRS is in the process of determining how many were filed by the actual taxpayers and how many involved stolen identities. TIGTA is also investigating the incident.
The IRS suspended the Get Transcript application after discovering the breach and is notifying the approximately 200,000 affected taxpayers of the attempts to obtain their data. The agency has already notified the approximately 100,000 taxpayers who had their data compromised and has offered free credit monitoring and suggested that affected taxpayers obtain an identity protection personal identification number (IP PIN), which it uses for other victims of identity theft.
However, George warned that "the risk for this type of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering taxpayers self-assisted interactive online tools." He noted, for example, that the IRS is preparing to launch a secure messaging pilot program in fiscal year 2016, which would lead to a "broader taxpayer digital communication rollout in the future." He also testified that his agency has found security weaknesses throughout IRS systems.