IRS failed to apply consumer protections for 11,406 taxpayers

IRS operators failed to record data of US taxpayers inside an IRS fraud detection system.
Written by Catalin Cimpanu, Contributor

FILE - In this April 13, 2014 file photo, the Internal Revenue Service Headquarters (IRS) building is seen in Washington. (AP Photo/J. David Ake, File)

J. David Ake, AP

The US Internal Revenue Service (IRS) has failed to activate protections for the victims of at least 89 data breaches, leaving at least 11,406 US taxpayers without protection from fraudulent tax filings.

These are the findings of a recent audit performed by the Treasury Inspector General for Tax Administration (TIGTA), an internal auditing service part of the US Department of Treasury.

More specifically, TIGTA investigators looked at the IRS Return Integrity and Compliance Services (RICS) Incident Management Tracker Matrix. This is a database of data breaches that external entities report to the IRS.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

If Social Security numbers have been leaked during these data breaches, RICS operators are supposed to record the data breach inside the Incident Management Tracker Matrix and load a list of compromised Taxpayer Identification Numbers (TINs) inside the IRS' Dynamic Selection List (DSL) --an internal IRS security system that keeps an eye on tax filings containing the leaked TINs, looking for evidence of fraudulent filings.

But TIGFA found that IRS RICS operators have failed to record all reported data breaches and load all the exposed TINs inside the DSL. Below are the audit's summarized findings:

We obtained 3,486 e-mails located in the IRS's mailboxes used to receive reported data breaches from external entities. We judgmentally selected a sample of 527 e-mails that reported data breaches from the universe of 3,486 e-mails. We then compared the 527 e-mails associated with a data breach to the RICS Incident Management Tracker Matrix to determine if the RICS organization properly recorded all data breaches. We found that 89 (17 percent) were not recorded and monitored on the Incident Management Tracker Matrix.

For the 89 data breaches that were not recorded in the Incident Management Tracker Matrix, TIGTA determined that for:

  • 70 data breaches - the RICS analyst did not ask the external entity to provide the IRS with a list of stolen TINs. Internal guidelines require RICS analysts to request the stolen TIN list from the external entity and record the data breach on the Incident Management Tracker Matrix. If a TIN list cannot be obtained, an analyst should still document the data breach on the Incident Management Tracker Matrix with the notation, "unable to secure taxpayer data."
  • 15 data breaches - external entities provided the IRS with a TIN list but analysts failed to record the incident on the Incident Management Tracker Matrix. As a result, 11,406 SSNs associated with these breaches were not added to the DSL. For 79 of these SSNs, the taxpayers already experienced the burden of an identity thief using their SSN to file a fraudulent tax return. The thieves used the taxpayers' SSNs to file either a Tax Year 2016 or 2017 return.
  • 4 data breaches - the analysts did request the TIN list but the external entity declined to provide one. However, similar to the first bullet, once the external entity declined to provide the TIN list, RICS analysts did not attempt to create a list of stolen TINs as required.

The TIGTA report blames IRS RICS staff for all the discovered issues, but also RICS management. This is because the Incident Management Tracker Matrix database does not track whether RICS operators receive compromised TINs for a reported data breach, but also doesn't track if the operator attempted to obtain a list of compromised TINs, or create one themselves.

TIGTA officials said the IRS promised to index the missing 11,406 TINs and also amend its data breach indexing procedures to avoid similar incidents in the future.

These are 2018's biggest hacks, leaks, and data breaches

Related security stories:

Best Black Friday 2018 deals:

Editorial standards