The Senate Finance Committee held a hearing Tuesday to examine the Internal Revenue Service’s recent failures to protect taxpayer information from cybercriminals.
The hearing probed the IRS’s efforts to protect private taxpayer information this tax season to determine what improvements may be needed to better safeguard taxpayers from cybercriminals.
In his opening statement, Senate Finance Committee chairman Orrin Hatch, R-Utah, pointed out that his committee urged the IRS, state revenue commissioners, and leaders in the tax preparation industry to come together last year to convene a Security Summit. That effort led to new information-sharing agreements to help identify suspicious activity in the tax filing and refund process.
“But in the face of this progress, we have also seen unprecedented growth in the scope and scale of cyber-attacks aimed at stealing personal information and billions of dollars from taxpayers,” said Hatch. “Last year alone, cyber-criminals obtained access to sensitive personal information from several large health insurers, exposing tens of millions of Americans to potential identity theft. Foreign governments gained access to poorly protected federal government databases, including a treasure trove of information at the Office of Personnel Management.”
While there has been some progress, Hatch acknowledged, the challenges are continuing to grow, and identity thieves are becoming more sophisticated and aggressive. “American taxpayers—and their livelihoods—are their targets,” he said. “In other words, we have a lot of work to do. My hope is that we’ll continue to be able to work on these issues on a bipartisan basis in order to do right by the American people.”
Sen. Ron Wyden, D-Ore., the ranking Democrat on the Senate Finance Committee, acknowledged that government agencies are failing to protect American taxpayers from identity theft. “Hackers and crooks, including many working for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from U.S. taxpayers,” he said. “It happens online and in the real world. And in my view, taxpayers have been failed by the agencies, the companies and the policymakers here in Congress they rely on to protect them.”
Wyden pointed to problems with the IRS’s online Get Transcript application last year (see IRS Finds ‘Get Transcript’ Data Breach Was More Widespread).
“It was unacceptable for the IRS to leave the front door open to hackers by using a weak authentication process for its Get Transcript system,” he said. “It meant thieves could walk through the door and steal the tax information of three quarters of a million taxpayers.”
Wyden also pointed to problems this year with the IRS’s Identity Protection PIN system for previous victims of identity theft (see IRS Suspends IP PIN Service for Identity Theft Victims). “To make matters worse, after the IRS mailed special Identity Protection PIN numbers to the hacking victims, it repeated its mistake and used lax security online,” he said. “For the tax scammers, once again it was as easy as going online, plugging in the personal data you’ve already stolen, and pretending to be somebody who’s lost their IP PIN. So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this.”
Wyden pointed out that the IRS has been losing many of its top technology staff to the private sector. “If you’re a top-notch tech expert, you’re already taking a pay cut to work in public service compared to what you’d earn at firms in Oregon or California,” he said. “Now, without what’s called ‘streamlined critical pay authority,’ it can take four to six months to bring a new hire on board at the IRS. So let’s be clear: Taxpayer information is under assault every day, but the IRS does not have the legal authority it needs from Congress to build a cybersecurity team that can beat back the crooks. Already there’s been an exodus of high-ranking IRS tech staff. The Director of Cybersecurity Operations left a month ago. The terms for the remaining employees working under this authority continue to expire, including for one of our witnesses, Chief Technology Officer Terence Milholland. Come 2017, there will not be any left.”
Wyden blamed unregulated tax preparers for some of the criminal activity. “For years Republicans and Democrats agreed on the need for minimum standards for return preparers, but Congress has sat back and watched while criminals have come in and preyed on taxpayers,” he said. “When it comes to blocking hackers, Congress has done next to nothing while the IRS loses its ability to hire the experts who can keep taxpayer information safe.”
He acknowledged that many tax preparers are honest practitioners, but added that there are also some “bad apples in the barrel.”
“Last year Senator [Ben] Cardin and I introduced a bill giving IRS the authority to regulate tax return preparers,” said Wyden. “Senator Hatch and I have worked to create a bipartisan identity theft bill for markup in the Finance Committee, which I had hoped would include the regulation of return preparers. It is still my view that people handling sensitive taxpayer information should meet minimum standards and that the committee should vote to require that.”
Comptroller General Gene Dodaro, who heads the Government Accountability Office, discussed a new GAO report on the IRS’s need to further improve controls over taxpayer data and combat identity theft and tax refund fraud. The report noted that the IRS estimates it paid $3.1 billion in fraudulent refunds in filing season 2014, while preventing $22.5 billion. However, the full extent of the identity theft is unknown because of the challenges inherent in detecting this type of fraud.
IRS Commissioner John Koskinen defended his agency’s efforts while pointing to the need for more funding to improve the agency’s cybersecurity. “Securing our systems and taxpayer data continues to be a top priority for the IRS,” he said. “Even with our constrained resources as a result of repeatedly decreased funding over the past few years, we continue to devote significant time and attention to this challenge, which is twofold. First, the IRS works continuously to protect our main computer systems from cyber incidents, intrusions and attacks, but our primary focus is to prevent criminals from accessing taxpayer information stored in our databases. These core tax-processing systems remain secure, through a combination of cyber defenses, which currently withstand more than one million attempts to maliciously access our systems each day. Second, the IRS is waging an ongoing battle to protect taxpayers and their information as we confront the growing problem of stolen identity refund fraud.”
But Koskinen said the IRS needs to continue to make itself available online to taxpayers. “As we confront these challenges, the IRS has also been working to expand and improve our ability to interact with taxpayers online,” he said. “While we already engage taxpayers across numerous communications channels, we realize the need to meet taxpayers’ increasing demand for digital services.”
Sen. Chuck Grassley, R-Iowa, pressed Koskinen on why the IRS hasn’t implemented several recommendations to protect taxpayer information. Grassley, a former chairman of the Finance Committee and the current chairman of the Judiciary Committee, recently introduced legislation to increase penalties for the theft of taxpayer information (see Senate Bill Would Toughen Penalties for Tax ID Theft).
“Agency watchdogs and auditors put out a lot of recommendations that took time and money and would help solve problems,” said Grassley. “It’s frustrating when agencies don’t implement the recommendations and even more frustrating when they don’t have a good reason for not implementing the recommendations, as we saw with the IRS today.”