The IRS repeatedly allowed contractors to keep their active access to the tax agency’s systems and buildings after their projects ended, an inspector general reported Monday.
Dozens of employees walked away with their access cards, 17 kept their computers and 13 still had network access after they should have been excised from the IRS’ active contractor list.
They were part of a broader group of 1,821 contract employees who were still listed as active in the IRS’ human resources system despite their contract projects having ended.
The inspector general called the network access a “risk” to taxpayers’ secret files and the access cards a physical security problem.
“When the IRS does not separate contractor employees when required and retrieve issued security items and identification media, it increases the risk of unauthorized entry to IRS facilities and workspaces, potentially endangering employees,” the inspector general said.
IRS officials acknowledged the problem and insisted they were working to fix things.
“That IRS takes the protection of taxpayer information and of IRS data, facilities and systems very seriously,” IRS Chief Operating Officer Melanie Krause said in the agency’s official response to the audit. “Your work helped us to identify problems with our contractor records and our processes and procedures for separating contractor employees.”
She said they have “cleaned up a lot of the records” already and have gone out to try to collect the computers that weren’t returned.
She said they’d gotten eight back and were on track to get two others.
The report comes months after a former contractor, Charles Littlejohn, was sentenced to five years in federal prison for stealing and leaking the tax information of then-President Trump and hundreds of the country’s other wealthiest taxpayers.
Littlejohn was still working for the Booz Allen Hamilton on a contract with the IRS at the time. He said he took the job intending to steal Mr. Trump’s information. After that, he stole the other wealthy Americans’ data, too.
He exploited weaknesses that allowed expansive access to IRS data.
But it exposed a broader problem with contractors.
The inspector general said the IRS had 18,454 active contractor employees listed as of April 2023. But 10% of those should have been listed as already separated because the contracts were over.
Of those, 63 hadn’t returned their access cards. Thirteen of them still had network access, and 12 of them had access to “sensitive” taxpayer files.
In nearly 300 cases, investigators said they couldn’t figure out what sort of access a former contractor might still have “because the IRS was unable to identify the contractor employee identification number used to track them.”
A year ago, as the audit was underway, the IRS said it was rushing to clean things up. But as of January, only 51% of the names wrongly listed as still needing access had been cleaned up. Among them were two of the employees who wrongly kept network access.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.
Please read our comment policy before commenting.