Hackers Using Prior Data Breaches to Penetrate IRS Tax Info
Internal Revenue Service Commissioner John Koskinen defended the IRS’s cybersecurity efforts during a contentious congressional hearing Thursday on the IRS’s ability to protect taxpayer systems.
“Securing our systems and taxpayer data continues to be a top priority for the IRS,” Koskinen said during a hearing before the House Science Committee’s Subcommittee on Research and Technology. “Even with our constrained resources as a result of repeatedly decreased funding over the past few years, we continue to devote significant time and attention to this challenge, which is twofold. First, the IRS works continuously to protect our main computer systems from cyber incidents, intrusions and attacks, but our primary focus is to prevent criminals from accessing taxpayer information stored in our databases. These core tax processing systems remain secure, through a combination of cyber defenses, which currently withstand more than one million attempts to maliciously access our systems each day. Second, the IRS is waging an ongoing battle to protect taxpayers and their information as we confront the growing problem of stolen identity refund fraud.”
Committee chairman Lamar Smith, R-Texas, pointed to recent reports from the Treasury Inspector General for Tax Administration and the Government Accountability Office that found problems with the IRS’s identity authentication methods and cybersecurity. “The U.S. Government Accountability Office has identified a number of ongoing cybersecurity system gaps and IRS failures to fully implement certain security controls,” he said. “The report found that of 28 prior GAO cybersecurity recommendations to the IRS, nine have not been effectively implemented. These gaps could open the door for cyber criminals to steal confidential taxpayer data. The past year’s IRS breaches are especially troubling. Taxpayer data was fraudulently accessed, not through a forcible compromise of the computer systems, but by hackers who correctly answered security questions that should have only been answerable by the actual individual.”
Smith acknowledged the hackers probably had originally accessed the data they used to compromise the IRS’s system from prior high-profile hacks, such as data breaches last year at the federal government’s Office of Personnel Management and at Anthem Health Insurance. Koskinen pointed out that the IRS has never experienced a data breach of its database in its history, although he acknowledged information already in the hands of cybercriminals was used to access the IRS’s online Get Transcript and Identity Protection PIN systems.
“The reality is criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS,” said Koskinen. “We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. It is important to note that cybercrime (theft by unauthorized access) and privacy breaches are increasing across the country in all areas of government and industry. Cybercriminals and their methods continue to grow in sophistication, frequency, brazenness, volume and impact. The IRS will continue to be challenged in our ability to maintain currency with latest technologies, processes and counter-measures.”
Rep. Barbara Comstock, R-Va., who chairs the Research and Technology Subcommittee, said she too had suffered from the breach at the Office of Personnel Management. “While I appreciate the IRS’ efforts to accommodate most people’s desire to access their tax information electronically, it cannot do so at the expense of their security,” she said. “As someone whose information was compromised in last year’s OPM hack, I assure you, more security is better than less. This would also help many of my federal employee constituents who were impacted by the OPM breach, as well as by last year’s Anthem cyber-attack. As one of the largest health insurance providers in the Commonwealth, the Anthem hack hit particularly close to home for us too.”
J. Russell George, head of the Treasury Inspector General for Tax Administration, confirmed the seriousness of the cybersecurity threat facing the federal government and the IRS in particular. “Cybersecurity threats against the federal government continue to grow,” he said. “Since 2011, my office has identified the security of taxpayer data as the most serious management and performance challenge confronting the IRS. According to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, federal agencies reported 77,183 cyberattacks in FY 2015, an increase of more than 10 percent from FY 2014.”
George acknowledged that hackers are using the information they get from other data breaches to access the IRS’s systems. “The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals,” he said. “Much of these data are detailed enough to enable circumvention of most authentication processes. Therefore, it is critical that the methods the IRS uses to authenticate individuals’ identities provide a high level of confidence that tax information and services are provided only to individuals who are entitled to receive them. The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers. The IRS’s goal is to eventually provide taxpayers with dynamic online account access that includes viewing their recent payments, making minor changes and adjustments to their accounts, and corresponding digitally with the IRS.”
Gregory C. Wilshusen, director of information security issues at the Government Accountability Office, presented a GAO report on the IRS’s continuing challenges with cybersecurity. The report noted that in March, the GAO reported that the IRS had instituted numerous controls over key financial and tax processing systems, but it had not always effectively implemented safeguards to properly restrict access to the systems and information (see IRS Faulted for Controls over Financial and Taxpayer Data).
In particular, while the IRS had improved some of its access controls, weaknesses remain with identifying and authenticating users, authorizing users’ level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing its computing resources. The weaknesses were due in part to the IRS’s inconsistent implementation of its agency-wide security program, including not fully implementing a variety of GAO recommendations.