The Internal Revenue Service (IRS) failed to record compromised taxpayer identification numbers (TINs) for 89 breaches reported to the agency by outside organizations, putting over 11,000 taxpayers at risk and leading to tax return fraud for 79 citizens, according to an audit conducted by the Treasury Inspector General for Tax Administration (TIGTA).
When organizations report data breaches to the IRS, IRS procedure requires staff to assess the risk associated with the breach, request the TINs–primarily Social Security Numbers (SSNs) for citizens–of those affected in breaches that meet the threshold of medium risk or above, and place those TINs on the agency’s Dynamic Selection List (DSL), a protective measure that places review priority on tax returns and gives legitimate taxpayers a chance to authenticate before processing the return.
In 2017, 730 breaches were reported to the IRS. However, when examining a selection of reported breaches, TIGTA found 89 that were not recorded by the IRS.
“Our review identified that necessary actions were not always taken to protect taxpayers associated with all reported data breaches. For example, the IRS did not record and track all reported external data breaches. In addition, TINs associated with reported data breaches were not consistently placed on the DSL to detect fraudulent tax returns that identity thieves might file using the TINs,” the report says.
For 70 of the 89 breaches under examination, IRS personnel did not ask for a list of compromised TINs, and did not take the mandated steps to identify the compromised individuals if no list is available. Additionally, in four of the breaches, IRS analysts did request compromised TINs, but did not receive a list and did not try to determine the TINs, as IRS policy requires. While these incidents make up the majority of the breaches identified by TIGTA, there is not much information available to track if they were victims of return fraud, as the IRS did not have their TINs available.
For 15 of the breaches, the entities reporting the breach did provide a list of compromised taxpayers and their TINs, but IRS staff did not record them into the DSL. This led to 11,406 SSNs not being closely monitored, and 79 people found themselves the victim of tax return fraud during FY16 and FY17 as a result.
TIGTA also found that even when analysts did add TINs to the DSL database for monitoring, in 105 incidents analysts did not add all TINs, leaving 27,270 people who may not have been added to the DSL database. However, IRS personnel claimed that those names may have already been added to the DSL database and excluded to avoid duplicates.
TIGTA recommended that the IRS record the 89 breaches that were identified, and develop processes to make sure all reported breaches are recorded and analysts report TINs as required, which the IRS agreed with. TIGTA also recommended that the IRS look into the 27,270 TINs identified and check to see how many are duplicates, and how many need to be added to the DSL, which the IRS agreed with as well.