Vast IRS database of sensitive information is supposed to be highly restricted and heavily monitored for misuse. The official IRS watchdog found it is neither of those things.
The IRS has given 20 unpaid “researchers and student volunteers” sweeping access to Americans’ sensitive tax data including unmasked Personally Identifiable Information, according to a Treasury Inspector General for Tax Administration (TIGTA) audit made public Monday.
The Personally Identifiable Information includes date of birth, place of birth, mother’s maiden name, IP address, vehicle identifiers, passport number, financial account numbers, tax account information, phone numbers, email addresses and several other categories. A 2023 IRS document states the system also includes Social Security numbers.
TIGTA is the federal government’s official IRS watchdog. The detailed report shows that despite a large infusion of taxpayer money, the deep-seated IRS cultural disregard for taxpayer privacy has not changed.
Given the continued lax IRS security environment, another large data theft and privacy violation is inevitable.
DETAILS
The report released Monday examined IRS security management of the IRS Compliance Data Warehouse (CDW), one of the world’s largest compilations of sensitive data.
TIGTA describes this IRS system as, “a massive data warehouse containing multiple years of Federal Tax Information and Personally Identifiable Information consolidated from multiple sources, internal and external to the IRS.”
The CDW includes Individual Master File data, Business Master File data, tax return data, conversations between a taxpayer and an IRS agent, and actions that took place on behalf of the IRS.
Due to its sensitive nature, the database is supposed to be highly restricted and heavily monitored for any potential misuse.
But the report found that a total of 1,173 people have access to the database and they are not adequately monitored, to put it charitably.
78% of them (919 people) have access to Americans’ Personally Identifiable Information.
Who are the 919 people? 587 are IRS employees. 239 are contractors. 73 work for other federal agencies. And 20 are “researchers and student volunteers.”
The TIGTA report notes that system users can remotely download database contents onto IRS-issued laptops.
It is bad enough that 919 government bureaucrats and contractors have such broad access to everyone’s data.
But who are the 20 “researchers and student volunteers“? What are their names? How are they chosen? Do they have any philosophical or political agenda with respect to taxation? Do they have an axe to grind? Who in the IRS specifically approves them and how? Did Americans ever agree to have their private information made available to these unknown people? Why are they given access to Personally Identifiable Information?
Below: a screenshot excerpt from new TIGTA report:
Even worse, the internal IRS system designed to monitor and flag misuse of this database is severely lacking, according to the TIGTA audit.
The IRS security team was busted for being asleep at the wheel.
For example, TIGTA wrote:
“Based on the information provided, we determined that the Compliance and Audit Monitoring team is not reviewing any of the required actionable events, i.e., actionable events require timely review to determine if additional escalation or notifications are required.“
TIGTA continues:
“The audit trails must be recorded in the system’s security documentation for indications and potential impact of inappropriate or unusual activity. Per agency security policies [REDACTED].“
And:
“In addition to not reviewing, analyzing, and reporting on the actionable events, we found the current process for these audit events and actionable events from other IRS tax systems and applications to be [REDACTED].”
A screenshot of that excerpt is below:
The non-redacted portions are damning enough, and Americans can only imagine what is contained in the redacted portions.
Sensitive taxpayer data and personally identifiable information could be stolen without detection.
TIGTA wrote:
“By failing to timely review the CDW’s required actionable audit events, unauthorized access to sensitive taxpayer data and Personally Identifiable Information could be occurring without detection.”
Even after the 2023 discovery of the largest theft in IRS history, it is business as usual at the IRS.
The official name of the report is, “Compliance Data Warehouse Security Needs Improvement.” Understatement of the year.
[Note: The report is dated Sept. 9, 2024 but was only published Monday Sept. 16. It is normal for the public release to appear several days after the cover sheet date.]
Stay tuned for updates to this story.