A government watchdog says the Internal Revenue Service ignored many of its recommendations to improve computer security. But IRS Commissioner John Koskinen told a Senate panel Tuesday that a data breach reported last month involving the accounts of 104,000 taxpayers is an example of "a perfectly good security mechanism ... being overtaken by events."
At a hearing of the Senate Finance Committee, panel Chairman Orrin Hatch told Koskinen that his agency "has failed" the taxpayers whose returns were stolen in the breach reported last month. Hatch added:
"These taxpayers, and their families, must now begin the long and difficult process of repairing their reputations. And they must do so with the knowledge that the thieves who stole their data will likely try to use it to perpetrate further fraud against them."
The Treasury's inspector general for tax administration, J. Russell George, told the panel that 44 of its recommendations to the IRS "have yet to be implemented." Specifically, he said the IRS had not always applied high-risk computer security upgrades known as patches, and that the agency had failed to monitor many of its servers, "which puts the IRS' networks, data and applications at risk."
Koskinen countered that many of the IG recommendations did not apply to the most recent data breach, which involved a separate IRS website. And in response to a question from Hatch, George conceded he could not give "a definitive answer" as to whether the IRS might have prevented the breach if it had implemented the recommendations. But, George said, "it would have been much more difficult."
George and Koskinen both said the perpetrators were likely from Russia and other nations but, citing the ongoing investigation of the data breach, would not be more specific.
The IRS revealed last month that the back tax returns had been downloaded by hackers who used legitimate taxpayers' names, Social Security numbers and other personal data to access the information through a link on an IRS website called Get Transcript. The link has since been taken down.
The back tax information is useful for people applying for a home mortgage or college loan. But thieves could use the data to better impersonate taxpayers and get past IRS screens to file fraudulent returns and obtain refunds.
Sen. Johnny Isakson, R-Ga., said it was ironic that while the Senate has been busy debating whether the National Security Agency should be allowed to access data on phone calls, the IRS collects much more personal information — including wages, investments and charitable contributions. This data, he said, is "a lot more personally identifying for the average American than whatever the NSA ever does, and they're looking out for our physical safety."