Treasury Inspector General for Tax Administration
June 8, 2016
TIGTA - 2016-16
Contact: Karen Kraushaar, Director of Communications
WASHINGTON — The Internal Revenue Service (IRS) did not identify and assist all individuals potentially affected by the ‘Get Transcript’ application data breach, according to an audit report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
The IRS ‘Get Transcript’ application allowed taxpayers to view and download their tax information on the IRS public website. On May 21, 2015, the IRS removed this application from its website after discovering it was being used for unauthorized accesses to taxpayer data. The IRS believes that some of this information may have been gathered to file fraudulent tax returns.
The purpose of the audit was to evaluate IRS identification of and assistance to victims of the breach. Assistance includes sending potential victims a notification letter and placing an identity theft incident marker on their accounts.
“While the IRS acted swiftly to disable its application upon learning of the data breach, our auditors found that it did not identify all taxpayers who were potentially affected, and whose tax information was at risk of being used by unauthorized individuals,” said J. Russell George, the Treasury Inspector General for Tax Administration. “Once we notified the IRS of this issue, it acted to notify these additional taxpayers,” he added.
TIGTA’s analysis of IRS system audit logs created between January 1, 2014, and May 21, 2015, identified 620,931 taxpayers whose tax account information involved a potentially unauthorized access not identified by the IRS. Further analysis of these access attempts found that potentially unauthorized users were successful in obtaining access to 355,262 of the taxpayers’ accounts.
In the audit, TIGTA also identified 2,470 additional taxpayers whose accounts were targeted through the breach, but that the IRS did not identify. This resulted from the IRS erroneously excluding three system error codes when identifying accounts of potential victims.
In addition, the IRS did not place identity theft incident markers on the tax accounts of 3,206 taxpayers who the IRS identified as affected by the breach. After TIGTA questioned the IRS’s rationale for not placing the marker on all tax accounts, management agreed that all affected taxpayer accounts need the marker. As a result, IRS officials informed TIGTA that they would ensure that all affected taxpayer accounts receive the identity theft marker.
Finally, the IRS did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access.
TIGTA made eight recommendations in its report, including that the IRS implement additional evaluative methods to identify all individuals affected by the breach; issue notification letters to 620,931 taxpayers whose accounts were potentially targeted and place identity theft incident markers on their accounts; ensure that authentication system error codes are analyzed when responding to future data breaches; and issue IP PINs to the 79,122 individuals whose personal information was used by unauthorized individuals to attempt access to the ‘Get Transcript’ application.
The IRS agreed with seven of the eight recommendations. The IRS disagreed with the recommendation to issue IP PINs to the 79,122 individuals with attempted accesses to their tax information. Although it disagreed with the recommendation, it acknowledged the potential inconsistency in its IP PIN issuance policy and stated that it would consider this inconsistency in future IP PIN policy decisions. TIGTA is concerned that the lack of prompt action on this issue leaves these taxpayers’ accounts at an increased risk of fraud.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.