The IRS ignored repeated warnings from its own inspector general that could have made it much harder for the cyberattackers who stole the private taxpayer information of more than 100,000 Americans earlier this year, the agency’s inspector general testified to Congress on Tuesday.
J. Russell George, who has been the IRS’s watchdog for more than a decade, said the IRS has either failed or, in some cases, outright refused, to follow dozens of recommendations on keeping up security patches or stepping up monitoring of key computer servers, which he said may have hurt the agency’s ability to fight off this attack.
“It would have been much more difficult had they implemented all of the recommendations we made,” Mr. George said.
IRS Commissioner John Koskinen disputed that notion, saying the audit reports and recommendations were focused on IRS database security, not on the type of identity-authentication attack that was used in this case to access the full transcripts of 104,000 taxpayers.
“Those reports and those recommendations did not deal with the authentication for this website,” Mr. Koskinen said.
He said a large part of the solution is more money — though he also said they have not shied away from spending on cybersecurity, which has been his agency’s biggest challenge over the last few years.
The latest breach came from what authorities believe was organized crime. Hackers used the agency’s “Get Transcript” online application to probe the information of 200,000 taxpayers, and succeeded in getting into the accounts of 104,000 of those by using information that is supposed to only be known by the taxpayer, such as car payment information.
In about 13,000 of those cases, the hackers may have used the information to file fraudulent false returns claiming refunds. The agency believes it paid out as much as $39 million in bogus refunds to the hackers.
Mr. Koskinen said tax refund fraud “exploded” from 2010 to 2012, and he said they have been rushing to catch up. He said one indication they are making progress is that nearly 2,000 people have been convicted of refund fraud related to identity theft.
This year’s attack began in February but the IRS didn’t notice it until May.
Mr. Koskinen said the attack was limited to the Get Transcript application, which allows taxpayers to get their past returns and other information the IRS has on them. The commissioner insisted the agency’s main computer system “remains secure.”
Early reports had fingered Russia as the likely location of hackers, but officials said they traced the attacks to other countries as well.
SEE ALSO: TSA bragged about gun seizure success rate ahead of new failure report
Michael Kasper, one of the 13,000 for whom hackers filed a fraudulent return, told the Senate Homeland Security and Governmental Affairs Committee he discovered he was a victim after trying to file his return this year and finding out one had already been filed under his name.
He said he informed the IRS of the attack in February, raising questions of why the agency took until May to determine it was the subject of a mass attack.
“It is so simple to file a false tax return for a refund it is actually giving criminals an incentive to attempt more data breaches, since they can trade SSNs for cash from the IRS,” he said.
He said one quick step would be for the IRS to only send personal identification numbers by mail, as banks and credit card companies do, rather than allowing them to be obtained online.
The IRS says the cyberattack succeeded because there is so much data already floating around on Americans that hackers can purchase online, using that information to successfully impersonate
Jeffrey E. Greene, director of government affairs at Symantec Corporation, which makes security software, said one billion IDs have been stolen in the hacks that have been publicly exposed in the last few years.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.
Please read our comment policy before commenting.