IRS blistered anew by internal watchdog for lax protections of taxpayer data after criminal leak
Agency failed to revoke access to sensitive tax systems from contractors who failed background checks and doesn’t have protections for some systems to prevent leaks, TIGTA said.
The IRS failed to revoke access to sensitive tax systems from contractors who failed background checks and doesn’t have protections for some of those systems to prevent unauthorized removal of taxpayer data, the agency’s chief watchdog warns in a stinging rebuke that comes on the heels of a devastating criminal leak of tax records.
“The fact remains that for some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users,” the Treasury Department Inspector General for Tax Administration (TIGTA) concluded in a report this month.
That report was issued at the same time ex-IRS contractor Charles Edward Littlejohn was sentenced to five years in prison for leaking tax information to news organizations about former President Donald Trump and countless other wealthy Americans.
It also is a fresh reminder that the IRS has struggled for decades to fix lax security. TIGTA first began warning the IRS was doing a poor job protecting taxpayer information back in 2007 when George W. Bush was still president. Three presidents later, those concerns linger.
In its new report, TIGTA cited the IRS for multiple vulnerabilities, among them several contractors who failed background checks as recently as last summer still had access to sensitive systems.
“Specifically, 19 contractors’ most recent background investigations were not favorable as of July 13, 2023,” the report stated. “However, these contractors still retained their access to one or more sensitive systems because the IRS did not take action to suspend or disable the contractors from the IRS’s systems, as required.”
You can read the full report here.
TIGTA said it also found that 279 contractors and employees no longer with the agency still had access to at least one sensitive computer system. “Actions were not always taken to timely remove users once they separated from the IRS,” the report warned.
The report also raised serious concerns about the IRS’ ability to stop another illegal leak of taxpayer information like the one that Littlejohn pled guilty to.
“For some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users,” the watchdog reported.
“TIGTA has reported that a key deficiency in the IRS’s detection and deterrence processes did not ensure that all sensitive systems provide complete, accurate, and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes,” the report added.
Adding to the watchdog’s concerns was the fact that the IRS struggled to come up with a complete list of sensitive computer systems, eventually identifying 319.
“To perform this evaluation, we requested information from the IRS that identifies all sensitive systems,” the report noted. “However, our ability to obtain a complete and reliable inventory of its sensitive systems was an ongoing challenge throughout this evaluation.”
House Ways and Means Committee Chairman Jason Smith, R-Mo., whose panel requested the TIGTA inquiry, plans to questions the IRS chief at a hearing on Thursday.
IRS officials said they are making strides to fix the deficiencies flagged in the report and that led to Littlejohn’s illegal breach.
“Our data security and environment is dramatically better today than it was in 2017 to 2020 when this unauthorized access occurred,” IRS Commissioner Daniel Werfel said. “And it’s dramatically better today because we now have the resources to make the right investments to strengthen our data security. And we have made dramatic changes.”
TIGTA noted improvements were underway but far from complete.
“The IRS is evaluating steps to improve its ability to safeguard data housed on its sensitive systems,” the report said. “These steps include identifying and recording user actions when accessing sensitive data and tracking authorized and unauthorized attempts of removal of sensitive data from its systems.”
It added: “A key initiative is the IRS’s Compliance Data Warehouse enhanced data security project that will enhance security controls for user access and data exporting of Federal Tax Information from certain IRS systems.”