Treasury Inspector General for Tax Administration
March 27, 2017
TIGTA - 2017-04
Contact: Karen Kraushaar, Director of Communications
WASHINGTON — The Internal Revenue Service (IRS) did not deactivate the Identity Protection Personal Identification Number (IP PIN) Program after a May 17, 2015 system security breach was identified, according to a report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
Despite TIGTA’s repeated recommendations to the IRS to shut down its online IP PIN application, the IRS allowed the application to remain active and implemented processes to mitigate the risk of fraudulent tax returns being filed with IP PINs obtained from the IP PIN application for the 2016 Filing Season. The IRS intended to manually review tax returns filed with an IP PIN that was viewed via the application. However, TIGTA’s review of 32,623 tax returns filed between January 19 and May 24, 2016 with an IP PIN that was viewed online identified that 12,020 returns (36.8 percent) were not manually reviewed.
An IP PIN is a six-digit number assigned to taxpayers that allows their tax returns/refunds to be processed without delay and helps prevent the misuse of their Social Security Numbers to file fraudulent Federal income tax returns.
IP PINs are sometimes proactively made available through the IRS’s Opt-in Program, which is designed to focus on taxpayers in States and locations with the highest per capita rate of identity theft, offering these taxpayers the opportunity to obtain an IP PIN before becoming a victim of tax-related identity theft.
“As identity theft continues to represent one of the most serious ongoing threats to the Federal system of tax administration, the IRS must do everything in its power to aid victims of this crime,” said J. Russell George, the Treasury Inspector General for Tax Administration. “I am pleased that the IRS has agreed with TIGTA’s concerns and has developed a plan to implement our recommendations,” he added.
The report also found that taxpayer accounts were not always consistently updated to ensure that IP PINs were generated for taxpayers as required. The IRS failed to generate an IP PIN for more than 2 million taxpayers for whom the IRS resolved an identity theft case. Additionally, the IP PIN notice continues to contain inaccurate information. Finally, the IRS has not updated its identification of locations that may now have the highest per capita rate based on identity theft complaints.TIGTA made five recommendations in the report. In response, IRS management noted that they shared TIGTA’s concerns and have developed mitigation strategies to address potential vulnerabilities.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.