IRS security is failing taxpayers, senator says

The agency has suffered recent breaches, but Congress shares the blame, Wyden says

The U.S. Internal Revenue Service, the Congress, and private electronic tax-filing vendors aren't doing enough to protect the personal information of taxpayers, senators said Tuesday.

The IRS needs to step up its cyberecurity efforts, said members of the Senate Finance Committee, citing two recent data breaches at the agency, along with 94 open cybersecurity recommendations from the Government Accountability Office.

"Hackers and crooks, including many working for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from U.S. taxpayers," Senator Ron Wyden, an Oregon Democrat, said during a hearing. "In my view, taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them."

Senators noted a breach, discovered last May, in the IRS Get Transcript service, which allows taxpayers to request copies of old tax returns. The breach allowed attackers access to more than 720,000 taxpayer accounts between January 2014 and May 2015, the IRS said.

Last month, the IRS suspended a Web-based service allowing taxpayers to retrieve so-called IP Protection PINs (IP PINs), a six-digit ID number, after security problems with the service. Attackers were able to access the e-file PINs connected to more than 100,000 Social Security numbers in a January attack, the IRS said.

The agency was issuing the PINs using only single-factor authentication, a violation of federal standards, said J. Russell George, inspector general for tax administration in the Department of the Treasury.

After the IRS mailed PINs to the Get Transcript hacking victims, "it repeated its mistake and used lax security online," Wyden said. "For the tax scammers, once again it was as easy as going online, plugging in the personal data you’ve already stolen, and pretending to be somebody who’s lost their IP PIN. So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this."

The IRS breaches are among a growing list of major government breaches. Just this month, the Philippine Commission on the Elections said the personal information of about 70 million people was compromised by hackers. And a hacking group called Cyber Justice Team leaked data from several Syrian government and private websites.

The IRS isn't the only weak link in U.S. taxpayer security, Wyden said. E-file vendors have had their own security problems, he said, and congressional authority allowing the IRS to streamline its cybersecurity hiring process has lapsed. 

The streamlined hiring authority is important, said John Koskinen, the agency's commissioner. Most qualified cybersecurity workers won't wait around for the three- to six-month standard federal hiring process, he said.

The IRS is working hard to improve its cybersecurity, Koskinen added. The agency has gotten more than 2,000 security recommendations from the GAO and the Treasury Department's inspector general in recent years, and it has implemented more than 80 percent of them, he said.

Security of taxpayer information is a "top priority," Koskinen said. IRS systems withstand more than 1 million malicious attempts to access data each day, he added.

But Senator Chuck Grassley, an Iowa Republican, questioned why the IRS hasn't implemented some inexpensive GAO recommendations, like changing the passwords on some of its servers every 90 days or providing online security training to new contractors. 

"Would you agree that these are low-cost changes that could improve computer security?" Grassley asked Koskinen. "Why haven't they been done?"

The IRS is moving away from passwords, which are "somewhat questionable" in terms of providing security, and toward access cards, Koskinen said. "We are working as quickly as we can" to implement other recommendations, he added.

Join the CSO newsletter!

Error: Please check your email address.

More about Internal Revenue ServiceIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place