6671146587_a18034d4e5_o

Taxpayers should be alarmed by the IRS’s repeated failure to protect taxpayer data. Over the years, serious security vulnerabilities within the agency have been highlighted by federal watchdog organizations. These vulnerabilities are especially concerning given the recent unauthorized release of taxpayer information to the progressive organization, ProPublica.

In 2018, the Treasury Inspector General for Tax Administration (TIGTA) released a report spelling out security vulnerabilities within the IRS. Specifically, the IRS failed to properly implement a new security system that was put in place after a cyber hack in 2016.

After the 2016 breach, IRS Cybersecurity staff decided to move all taxpayer information into a Cyber Security Data Warehouse (CSDW), a centralized place to store taxpayer Personally Identifiable Information (PII) which includes names, addresses, social security numbers and birthdays. 

 While this new security system was supposed to prevent another breach it instead created more security vulnerabilities. As the report notes:

“Two years after the IRS decision to transfer taxpayer data to the CSDW, some controls remain weak, and documentation is not complete…. the IRS did not implement CSDW auditing controls that would allow it to monitor fraud analysis.”

 The IRS failed to analyze potential risks from transferring data. Because of this, the IRS would not be aware of, or able to identify security threats internally or externally: 

“There is an increased risk that the IRS would be unable to identify relevant threats to the organization. Further, the IRS may be unaware of internal and external vulnerabilities that exist that could negatively impact the organization.”

The IRS also failed to notify some of its employees of the change in how they store taxpayer data. Keeping employees out of the loop meant that this data wasn’t properly protected once again, putting taxpayers’ data at risk:

“The General Support System-1 authorizing official was unaware that the CSDW now stores taxpayer data for use in fraud analysis…. if appropriate officials are not aware that PII has been transferred…they cannot adequately protect that data or take steps to prioritize necessary resources to appropriately manage the system from a security perspective.” 

The IRS left taxpayer data vulnerable by failing to properly set up this new security system. As a result, the IRS left the door open to new security weaknesses leaving taxpayer information, which includes social security numbers and birthdates, vulnerable to a data breach.

The IRS has a long history of failing to protect taxpayer’s personal information. Despite this, President Biden wants to increase the IRS’s funding and hire 87,000 new IRS agents, enough to fill Nationals Park twice and the Roman Colosseum 1.74 times. Biden also wants to grant the IRS new powers and responsibilities, including having the agency snoop on every personal and business bank account and Venmo account in the country. 

Given the IRS has repeatedly failed to safeguard taxpayer information we shouldn’t trust them to gather even more sensitive information.