THE INTERNAL REVENUE SERVICE DID NOT
IDENTIFY AND ASSIST ALL INDIVIDUALS POTENTIALLY
AFFECTED BY THE GET TRANSCRIPT APPLICATION DATA BREACH
Final Report issued on May 16, 2016
Highlights of Reference Number: 2016-40-037 to the Internal Revenue Service Commissioner for the Wage and Investment Division.
IMPACT ON TAXPAYERS
The IRS Get Transcript application allows taxpayers to view and download their tax information on the IRS public website. On May 21, 2015, the IRS removed this application from its website after discovering it was being used for unauthorized accesses to taxpayer data. The IRS believes that some of this information may have been gathered to file fraudulent tax returns.
WHY TIGTA DID THE AUDIT
This audit was conducted to evaluate IRS identification and assistance to victims of the Get Transcript application breach. Assistance includes sending potential victims a notification letter and marking their accounts with an identity theft incident marker.
WHAT TIGTA FOUND
The IRS did not identify all individuals potentially affected by the Get Transcript application breach. Our analysis of system audit logs created between January 1, 2014, and May 21, 2015, identified 620,931 taxpayers whose tax account information involved a potentially unauthorized access not identified by the IRS. Further analysis of these access attempts found that potentially unauthorized users were successful in obtaining access to 355,262 of the taxpayers’ accounts.
TIGTA also identified 2,470 additional taxpayers whose accounts were targeted through the Get Transcript application breach that the IRS did not identify. This resulted from the IRS erroneously excluding three system error codes when identifying accounts of potential victims.
In addition, the IRS did not place identity theft incident markers on the tax accounts of 3,206 taxpayers who the IRS identified as affected by the Get Transcript application breach. After TIGTA questioned the IRS’s rationale for not placing the marker on all tax accounts, management agreed that all affected taxpayer accounts need the marker. As a result, IRS officials informed us that they would ensure that all affected taxpayer accounts receive the identity theft marker.
Finally, the IRS did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the IRS: 1) implement additional evaluative methods to identify all individuals affected by the breach; 2) issue notification letters to 620,931 taxpayers whose accounts were potentially targeted and place identity theft incident markers on their accounts; 3) ensure that authentication system error codes are analyzed when responding to future data breaches as well as notify the additional 2,470 taxpayers identified and place identity theft incident markers on their accounts; 4) place identity theft incident markers on the 3,206 taxpayer accounts, as required; and 5) issue IP PINs to the 79,122 individuals whose personal information was used by unauthorized individuals to attempt access to the Get Transcript application.
The IRS agreed with seven of the eight recommendations. The IRS disagreed with the recommendation to issue IP PINs to the 79,122 individuals with attempted accesses to their tax information. Although it disagreed with the recommendation, it acknowledged the potential inconsistency in its IP PIN issuance policy and stated that it would consider this inconsistency in future IP PIN policy decisions. TIGTA is concerned that the lack of prompt action on this issue leaves these taxpayers’ accounts at an increased risk of fraud.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta