Report: IRS Failed to Address Nearly 2,000 Security Vulnerabilities in Child Tax Credit Portal

In yet another example of the Internal Revenue Service (IRS) neglecting taxpayer privacy and security, the agency failed to address nearly 2,000 security vulnerabilities in a timely manner. These security vulnerabilities existed in the Child Tax Credit Update Portal and Secure Access Digital Identity (SADI) system, according to a recent report by the Treasury Inspector General for Tax Administration (TIGTA). 

The American Rescue Plan of 2021, enacted by President Biden and Congressional Democrats turned the Child tax credit (CTC) into a monthly welfare payment. This required the IRS to establish create the CTC Update Portal, which was deployed in June of 2021 to distribute payments.

Unfortunately, there were several security vulnerabilities identified in this new portal, potentially putting taxpayer dollars and taxpayer data at risk. Worse, the vulnerabilities identified were not remediated in a timely manner, as TIGTA explains: 

“The IRS implemented 311 (87 percent) of 356 applicable security controls for the CTC Update Portal and SADI system, but the Privacy, Governmental Liaison, and Disclosure organization does not have a formal documented process to manage the selection, implementation, and assessment of privacy controls… 

The IRS failed to timely remediate 1,818 critical (356 unique), six high (all unique), and two medium (all unique) security vulnerabilities that were identified in either the CTC Update Portal or SADI system.” 

The report also found that 96 percent of CTC portal and SADI system servers were noncompliant: 

“In addition, 199 (96 percent) of 207 CTC Update Portal and SADI system servers were noncompliant due to either failing a high-compliance check or having weighted compliance scores of less than 90 percent. The IRS stated that the root cause of the remediation findings stemmed from older software versions being installed during the server build process.” 

In fact, a simple administrative oversight resulted in a 28-hour outage of the system: 

“Finally, an administrative oversight related to server monitoring resulted in a CTC Update Portal outage for approximately 28 hours.” 

Taxpayers should be alarmed by the IRS’s repeated failure to protect taxpayer data. Over the years, serious security vulnerabilities within the agency have been highlighted by federal watchdog organizations.  

These vulnerabilities are especially concerning given the recent unauthorized release of taxpayer information to ProPublica. In June 2021, it was revealed that the private tax files of thousands of Americans – covering a period of 15 years — had been stolen and given to the progressive news organization. The IRS and the Biden administration immediately vowed to investigate and prosecute. To this day, there are still no answers from the government. 

In 2018, the Treasury Inspector General for Tax Administration (TIGTA) released a report spelling out security vulnerabilities within the IRS. Specifically, the IRS failed to properly implement a new security system that was put in place after a cyber hack in 2016. 

After the 2016 breach, IRS Cybersecurity staff decided to move all taxpayer information into a Cyber Security Data Warehouse (CSDW), a centralized place to store taxpayer Personally Identifiable Information (PII) which includes names, addresses, social security numbers and birthdays. While this new security system was supposed to prevent another breach, it actually created more security vulnerabilities. 

In 2016, the IRS lost track of laptops containing sensitive taxpayer data. TIGTA estimates that the IRS had failed to properly document the return of 84.2 percent, or more than 1,000 computers due to be returned by contract employees. 

Despite the agency’s repeated failure to safeguard taxpayer information and perform its most basic duties, President Biden wants to increase the IRS’s funding by $80 billion and hire 87,000 new IRS agents, enough to fill Nationals Park twice. Biden also wants to grant the IRS new powers and responsibilities, including having the agency snoop on every personal and business bank account and Venmo account in the country.  

Unfortunately, the security vulnerabilities in the CTC portal system are some of many examples of security vulnerabilities in IRS systems. Given the agency has repeatedly failed to safeguard taxpayer information we shouldn’t trust them to gather even more sensitive information.