Office of Audit


actions Were Not Always taken to Protect Taxpayers ASSOCIATED WITH Reported EXTERNAL Data Breaches

Final Report issued on November 14, 2018

Highlights of Reference Number:† 2019-40-010 to the Commissioner of Internal Revenue.


Identity thieves continue to conduct more sophisticated fraud schemes using stolen tax information from employers and tax return preparers to file fraudulent returns that often mirror the actual taxpayerís return.† To assist taxpayers and help protect them from tax-related identity theft, the IRS must distinguish the identity thievesí tax returns from returns filed by the taxpayers.


This audit was initiated to assess the effectiveness of IRS assistance to victims of external data breaches.


In response to the increasing number of data breaches, the IRS has taken many actions to inform external stakeholders on how to protect taxpayer information as well as actions to take if a data breach occurs.† For example, the IRS developed and released tax tips, alerts, and news releases on its public website to educate stakeholders and the public on safeguarding taxpayer information and actions they should take if their systems have a data breach.

For Calendar Year 2017, the IRSís Return Integrity and Compliance Services (RICS) organization recorded 730 external data breaches on its Incident Management Tracker Matrix.† However, our review identified that RICS analysts did not record and monitor 89 data breaches of external entities that were reported to the IRS. †For 70 of these incidents, the RICS analysts did not request the external entity to provide the IRS with a list of stolen client Taxpayer Identification Numbers (TIN).† The analysts should have also recorded these incidents on the tracker.† In another four data breaches, the external entity declined to provide a TIN list.† For these breaches, RICS analysts did not attempt to create a list of stolen TINs as required.

In addition, the external entity provided a TIN list for 15 data breaches but the RICS analysts did not record the incidents on the Incident Management Tracker Matrix.† As a result, 11,406 Social Security Numbers associated with these breaches were not added to the IRSís Dynamic Selection List (DSL) to protect taxpayers from tax-related identity theft.† For 79 of these Social Security Numbers, the taxpayers already experienced the burden of an identity thief using their Social Security Number to file a fraudulent Tax Year 2016 or 2017 return.

Our review also identified that RICS analysts did not add to the DSL, as required, all the TINs associated with 105 external data breach incidents recorded on the Incident Management Tracker Matrix in Calendar Year 2017.


TIGTA recommended that the IRS 1) record the 89 data breaches on the Incident Management Tracker Matrix and apply the appropriate treatment; 2) develop procedures to ensure that all reported data breaches are added to the Incident Management Tracker Matrix and ensure that RICS analysts add reported TINs to the DSL, if appropriate; 3) research the TINs that TIGTA identified as potentially not being on the DSL and add them, as appropriate; and 4) add the missing TINs that TIGTA identified to the DSL to allow detection of potential identity theft returns filed using the TINs.

The IRS agreed with all four recommendations.† IRS management completed its review of referred TINs from data breaches and assigned applicable TINs to the appropriate treatment stream and the DSL.† Additionally, IRS management is currently developing the Incident Management and Other DSL Treatments Database to replace the current method for updating, monitoring, and tracking incidents referred to the RICS function.


To view the report, including the scope, methodology, and full IRS response, go to:


Phone Number ††/† 202-622-6500

E-mail Address †/

Website†††††† ††††††/