A report on IRS identity theft protections by the Treasury Inspector General for Tax Administration was publicly released today, revealing that an estimated 2.2 million tax returns were not entered into a key system used in fraud detection.

According to the report, the 2.2 million returns were not uploaded into the Dependent Database, known as DDb, due to “an oversight.” The IRS was not aware of its failure to load the returns into DDb until notified by TIGTA on Feb. 13, 2015. The IRS eventually corrected the issue three weeks later, on March 6, 2015.

The TIGTA report, titled “Continued Refinement of the Return Review Program Identity Theft Detection Models Is Needed to Increase Detection” notes the failure to recognize some legitimate identity theft cases and failure to properly maintain taxpayer data between the DDb system and an additional fraud detection filter, the Return Review Program (RRP), occurred in part because the IRS did not fully implement all capabilities of the selection models such as filters and flagged selection groups.

TIGTA stated:

“Internal IRS guidelines require tax examiners to monitor the taxpayer’s account to determine whether the taxpayer updated their address or provided a reasonable explanation of why the refund was returned undeliverable. If after 30 calendar days the taxpayer has not satisfactorily resolved the issue and the refund has not been reissued, the IRS will treat the refund as being associated with an identity theft tax return and reverse the fraudulent tax return’s data entries from the taxpayer’s account and place an identity theft indicator on the taxpayer’s account. When we brought this to IRS management’s attention on July 10, 2015, the IRS responded that it had not started this process nor has a start date for this process been established.”

When questioned, IRS officials “did not have an explanation as to why procedures were only changed for checks returned undeliverable”.

The Office of Audit commented on this problem:

“Review of the 70 accounts found that 61 did not have the required undeliverable tax refund check process identity theft indicator. For the remaining nine, the indicators were added subsequent to the completion of our analysis”– meaning these taxpayers did not get their refund and accounts were flagged as fraudulent.  

Failure to protect taxpayer data is not an isolated case when it comes to the IRS. Last year, the agency’s ineptitude resulted in the taxpayer data of 330,000 filers being stolen, despite countless watchdog warnings.

Since 2007, the IRS was warned at least seven times by watchdog groups that it needed to strengthen its protections of taxpayer information. Most recently:

  • In a 2014 report, the Treasury Inspector General for Tax Administration (TIGTA) warned that if stronger protections are not implemented, “taxpayers could be exposed to the loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.”  
  • 2013 report found that the IRS had failed to fully implement eight recommendations that would increase security over taxpayer data despite telling TIGTA they had been implemented.
  • 2011 report found that taxpayer data was vulnerable to hackers and stronger security measures were needed.
  • In 2010, TIGTA found that the agency had inadequate safeguards to protect taxpayer information from contract workers.


See Also: