Anti-Fraud , Fraud , Risk Management

IRS Chief Defends Taxpayer Data Protection Efforts

Commissioner John Koskinen Says Equifax Breach Won't Have Impact on Upcoming Tax Season
IRS Chief Defends Taxpayer Data Protection Efforts
IRS Commissioner John Koskinen

The Internal Revenue Service is pushing back at critics who contend the tax agency isn't doing enough to secure its information technology.

See Also: How to Scale Your Vendor Risk Management Program

"The progress we've made in protecting taxpayers is especially important when you look at how much sensitive personal information has fallen into the hands of criminals recently," IRS Commissioner John Koskinen said Tuesday in a call with reporters. "A wide range of private and public-sector organizations have seen their systems compromised. I cannot imagine where the nation's tax system would be today if we hadn't started this effort back in 2015."

In 2015, the IRS fell victim to a hack of its Get Transcript system that exposed the names and Social Security numbers of as many as 724,000 taxpayers (see IRS Doubles Number of Get Transcript Victims).

Koskinen also said he does not believe the breach of the credit reporting agency Equifax will have a major impact on the upcoming tax filing season. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals," he said.

An estimated 145.5 million Americans had their PII exposed in the Equifax breach.

Auditors Cite Concerns with IRS Security

As recently as September, the Treasury Department's inspector general for tax administration warned that the IRS is introducing unnecessary risks to sensitive taxpayer systems because of its aging computer hardware (see Inspector General: IRS's Aging IT Puts Taxpayer Data at Risk).

"Aged information technology hardware still in use introduces unnecessary risks," Deputy Inspector General for Audit Michael McKenney wrote in the report. "These aged hardware failures may have also had a negative effect on IRS employee productivity, security of taxpayer information and customer service."

In July, the Government Accountability Office cited deficiencies in the IRS implementing security controls to safeguard sensitive financial and taxpayer data. "Until IRS takes additional steps to address unresolved and newly-identified control deficiencies and effectively implements components of its information security program, its financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure," GAO auditors wrote.

But Koskinen insisted the IRS is taking steps to address security threats, including intensifying its current W-2 verification code pilot program, enhancing information sharing with state officials and businesses and increasing public awareness campaigns aimed at taxpayers and tax preparers.

Mitigating Fraud

Koskinen cited a number of stats he contends demonstrate the success of efforts by the IRS to mitigate fraud. In 2016, the IRS stopped 883,000 fraudulent returns filed as a result of identity theft, a 37 percent drop from 2015. For the first eight months of this year, the IRS has stopped 443,000 fraudulent returns, a 30 percent decline from the same period last year. "This reflects the fact that we've made it harder for criminals to file false returns in volume, so they have to work more on an individual, return-by-return basis," Koskinen said.

The IRS commissioner also said the agency is receiving fewer reports of identity theft from taxpayers, falling 40 percent from January through August to 189,000 individuals, compared to the same period a year ago.

"While we have made tremendous progress against tax-related identity theft over the past two years, we have much more work facing us," Koskinen said. "As we evolve, so do the cybercriminals here and abroad. As we increase protections, cybercriminals become more creative and aggressive. We have to keep working together [with its public and private-sector partners] to strengthen our defenses."


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network