IRS transcript system still vulnerable to cybercriminals
The Internal Revenue Service’s Transcript Delivery System still doesn’t protect taxpayers against unauthorized release of their tax transcripts, according to a new report, despite a new authentication system that was installed after a high-profile data breach.
The report, from the Treasury Inspector General for Tax Administration, found that IRS controls for verifying and validating tax transcript requests through the Transcript Delivery System still don’t comply with the federal government’s information security standards and don’t do enough to protect taxpayers against unauthorized release of their tax information.
In May 2015, the IRS’s Computer Security Incident Response Center detected a backlog of undeliverable confirmation code emails from people trying to access to the Get Transcript application and discovered they were coming from suspicious sources. As a result, the IRS deactivated the Get Transcript application that month. It eventually found the data breach affected hundreds of thousands of people (see IRS finds ‘Get Transcript’ data breach was more widespread and IRS didn’t help all taxpayers affect by ‘Get Transcript’ data breach). The IRS didn’t restore the app until more than a year later, using a multifactor authentication process that was supposed to protect the app from identity thieves (see IRS relaunches ‘Get Transcript’ app with better authentication).
The Transcript Delivery System, or TDS, allows external third-party customers to view and get tax information on both individuals and businesses. Tax transcripts can’t be obtained using the TDS unless the person requesting one successfully registers for e-Services, and participates in electronic filing or is a participant of the Income and Verification Express Services, or IVES, program. From 2014 through 2016, a total of more than 168 million tax transcripts were requested.
To improve authentication, the IRS implemented an interim process in November 2016 that required existing e-Services TDS users to re-authenticate their identities. However, the latest TIGTA report found that tax transcripts remain vulnerable to hackers.
IRS management didn’t make sure that such users who didn’t complete the required interim authentication had their privileges revoked. TIGTA’s analysis of tax transcript request logs from Oct. 1, 2015, to March 31, 2017, identified 4,022 e-Services TDS users who asked for tax transcripts and weren’t sent a letter notifying them of the new interim authentication requirements. As a result, 1,507 of the 4,022 users continued to request a total of 96,639 tax transcripts without being required to re-authenticate in compliance with the interim requirements.
In addition, tax transcript request processes and procedures still don’t minimize the risk of unauthorized release of tax transcript information. TIGTA reviewed the TDS audit logs of tax transcript requests made between Jan. 1, 2014, and Dec. 31, 2016, and saw anomalies that could indicate either misuse of the system or potentially suspicious activity. For example, according to the report, 169 TDS participants registered with e Services using email addresses that had been identified during a previous audit as suspicious, and associated with potential identity theft victims.
On top of that, TIGTA found the IRS has ineffective processes and procedures to ensure legitimate taxpayers in fact authorized the release of their tax transcript information to IVES program participants or their clients.
TIGTA made nine recommendations in the report, such as suggesting the IRS implement multifactor authentication, along with procedures to ensure legitimate taxpayers authorize the release of their tax transcripts, and recommending the IRS redact sensitive information from tax transcripts. The IRS agreed with four recommendations and took action to address the concerns of another two. For the remaining three, the IRS didn’t agree with TIGTA’s suggestions or adequately address the recommendations. For example, the IRS didn’t agree to implement additional procedures to make sure legitimate taxpayers authorize the release of their tax transcripts and to improve controls for requesting tax transcript information.
“We recognize the concerns the Treasury Inspector General for Tax Administration has regarding the IRS’ ability to validate the authenticity of third-party requests for tax information, but we believe the interim risk-mitigation procedures that were put in place, along with placing TDS behind secure access, are effective at balancing the protection of sensitive tax information and [personally identifiable information] with the legitimate needs of third-party service providers whom taxpayers have authorized to receive their information,” wrote Kenneth C. Corbin, commissioner of the IRS’s Wage and Investment Division, in response to the report.