Expanded IRS online services put taxpayer information at risk, Senate committee told

By Sally P. Schreiber, J.D.

By expanding its online services, the IRS is putting taxpayers’ data at greater risk, the Treasury Inspector General for Tax Administration told Congress on Tuesday.

“Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online . . . provides more opportunities for exploitation by hackers and other fraudsters,” warned Russell George in testimony before the Senate Finance Committee.

George and IRS Commissioner John Koskinen testified before the committee, which is charged with oversight of the IRS, about the recent revelation that cybercriminals had breached the security protocols of the Get Transcript online application, a service for taxpayers to obtain prior-year tax returns for various purposes such as loans and student financial aid.

According to Koskinen, the cybercriminals overcame a multistep authentication process that required the taxpayer’s Social Security number, date of birth, tax filing status, and home address. They also had to answer what the IRS calls several “out-of-wallet” questions (i.e., knowledge-based authentication questions) that only the taxpayer would normally know, such as the amount of a monthly home or car payment. Because the cybercriminals had this other information, Koskinen explained that the IRS believes that it was dealing with sophisticated organized crime syndicates.

In his testimony, however, George noted that the proliferation of data breaches, the amount of information freely available on the internet, and the expansion of e-commerce have combined to make knowledge-based authentication less secure.

According to Koskinen, since the data breach, about 13,000 questionable returns were filed for tax year 2014 for which the IRS issued refunds totaling about $39 million (average of $3,000 per return). The IRS is in the process of determining how many were filed by the actual taxpayers and how many involved stolen identities. The incident is also being investigated by TIGTA.

The IRS suspended the Get Transcript application after discovering the breach and is notifying the approximately 200,000 affected taxpayers of the attempts to obtain their data. The agency has already notified the approximately 100,000 taxpayers who had their data compromised and has offered free credit monitoring and suggested that affected taxpayers obtain an identity protection personal identification number (IP PIN), which it uses for other victims of identity theft.

However, George warned that “the risk for this type of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering taxpayers self-assisted interactive online tools.” He noted, for example, that the IRS is preparing to launch a secure messaging pilot program in fiscal year 2016, which would lead to a “broader taxpayer digital communication rollout in the future.” He also testified that his agency has found security weaknesses throughout IRS systems.

Sally P. Schreiber ( sschreiber@aicpa.org ) is a JofA senior editor.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.