GAO urges IRS to adopt tougher data security as TurboTax grapples with compromised accounts

The Government Accountability Office said it disagrees with the IRS stance that they do not have the authority to improve data security.
Written by Jonathan Greig, Contributor

The IRS and Government Accountability Office are locked in a dispute over data security, according to the letter sent by the GAO to Charles Rettig, commissioner of the IRS.

On Monday, the GAO said that since May 2019, it had suggested the IRS "develop a governance structure or steering committee to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers."

Since then, the IRS has said it agrees with the recommendation but does not believe it has the "explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file," according to the GAO report. 

"We continue to believe that IRS could implement this recommendation without additional statutory authority," the GAO letter said. "Without this structure, it is unclear how IRS will adapt to changing security threats in the future and ensure those threats are mitigated."

Jessica Lucas-Judy, a GAO director overseeing work on the IRS, explained in the letter that the IRS continues to hold this view and reiterated their stance in January. 

Lucas-Judy added that the only way the IRS feels it could establish data safeguarding policies and implement strategies enforcing compliance with those policies would be through a "centralized leadership structure" that would need statutory authority clearly communicating the authority of IRS to do so. 

According to the IRS, beefing up data security would be "inefficient, ineffective, and costly use of resources" without the authority of a leadership structure. 

But Lucas-Judy said the IRS has seven different offices across the agency working on information security-related activities that "could benefit from centralized oversight and coordination." 

"These activities include updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports," Lucas-Judy wrote. 

According to Bleeping Computer, the GAO report came just days after Intuit was forced to notify TurboTax users of a breach following a series of account takeover attacks earlier this month. Attackers gained full access to the tax returns of an unknown number of people, and Intuit was forced to disable the compromised accounts. 

"By accessing your account, the unauthorized party may have obtained the information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address[es], date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return," Intuit said in a breach notification letter obtained by TechRadar.

The breach was discovered during a security review that was regularly scheduled. The company routinely notifies users whose accounts are accessed "by a third party using legitimate log-in credentials that Intuit believes were obtained from sources outside the company." Intuit confirmed in this instance that it was not a "systemic data breach."

Yaniv Bar-Dayan, CEO of Vulcan Cyber, said the IRS needed to be more urgent about protecting itself against cyber threats considering the government is still dealing with the ramifications of the SolarWinds attack

"Unfortunately, threat actors aren't going to sit around and wait. The creation of a 'governance structure' from scratch isn't necessary," Bar-Dayan said. 

"The IRS should ride the coattails of cyber governance, risk and compliance frameworks that have already been successfully implemented by the largest public and private financial institutions in the world. Most importantly, take proactive steps now to protect IRS operations and taxpayer data and funds through risk remediation initiatives."

Editorial standards