It's Tax Time, But Can the IRS Secure Your Data?

WASHINGTON -- Can taxpayers be rest assured last year's IRS security breeches won't happen again? Probably not.

The Senate Finance Committee held a hearing to see what the IRS is doing to prevent additional cyber attacks and protect sensitive taxpayer data, but the problem appears bigger than their current resources.

Sen. Ron Wyden, D-Ore., said government agencies are failing to protect American taxpayers' sensitive information.

"Hackers and crooks, including many who work for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from American taxpayers," Wyden said. "In my view, taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them."

Senators on the comittee pointed to a 2015 breach that allowed hackers to access over 700,000 taxpayer accounts between January and May of 2015. The breach affected users of the IRS Get Transcript web service, which allowed taxpayers to request copies of old tax returns.

"It was unacceptable for the IRS to leave the front door open to hackers by using a weak authentication process for its Get Transcript system," Wyden said. "It meant thieves could walk through the door and steal the tax information of three quarters of a million taxpayers."
 
The IRS set up an Identity Protection PIN system for previous victims of identity theft, but suspended the PIN service after security issues exposed previous victims information once again.

"To make matters worse, after the IRS mailed special Identity Protection PIN numbers to the hacking victims, it repeated its mistake and used lax security online," Wyden said.

"For the tax scammers, once again it was as easy as going online, plugging in the personal data you've already stolen, and pretending to be somebody who's lost their IP PIN," he said. "So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this."

Wyden acknowledged the IRS cyber attack defense is struggling because its losing many of its top technology staff to private firms, and its having issues replacing these people without Congressional approval for streamlined critical pay authority.

Without this authority, it can take four to six months to onboard a new IRS hire.

"So let's be clear, taxpayer information is under assault every day, but the IRS does not have the legal authority it needs from Congress to build a cybersecurity team that can beat back the crooks," Wyden said.

"Already there's been an exodus of high-ranking IRS tech staff. The director of cybersecurity operations left a month ago," he continued. "The terms for the remaining employees working under this authority continue to expire, including for one of our witnesses, chief technology officer Terence Milholland. Come 2017, there will not be any left."

IRS Commissioner John Koskinen said securing IRS systems and protecting taxpayer data is a top priority, adding that they withstand more than one million hacking attempts each day.

But he says they are facing challenges trying to anticipate new cyber threats while also accommodating taxpayers' growing digital demands.

"We need to be able to anticipate the criminals' next move and attempt to stay ahead of them," Koskinen said.

"We realize the need to meet taxpayers' increasing demand for digital services. We are aware however that in moving towards this enhanced online experience, we must continually upgrade and improve our ability to verify the identity of taxpayers using these services," he said. "Taxpayers will only use these services if they are confident that they are safe and secure."

"We need to keep the criminals out, while letting the leigitimate taxpayers in," he said. "Our goal is to have the strongest possible authentication process for our online services while maintaining the ability of taxpayers to access their data and use IRS services online."

Koskinen said the IRS has implented more than 80 percent of the 2,000 security recommendations they recieved from the GAO and the Treasury Department's inspector general.

He said they are working as quickly as they can to implement other recommendations.