IRS Officials Grilled After Security Breach

Published: June 03, 2015

CONGRESSCybersecurityTREAS

IRS Commissioner John Koskinen testified before two Congressional committees this week, in the wake of a data security breach involving over 104,000 taxpayers.

The fraudsters used the IRS Get Transcripts application, which allows taxpayers to download their tax return data, to access the records of more than 100,000 taxpayers.  Hackers attempted to download the returns of around 200,000 taxpayers and were successful in at least 104,000 cases.  The attacks were believed to have taken place from mid-February to mid-May and may have resulted in as much as $50 million paid out in fraudulent returns.  The IRS will offer identity protection services for the 104,000 taxpayers whose data was retrieved and will send notification letters to all 200,000 taxpayers whose accounts the attackers attempted to access.

 

But this was no ordinary cybersecurity attack involving identity theft.  According to IRS officials, the perpetrators did not access the IRS system to steal taxpayer personal information.  Apparently, the taxpayer identities had already been compromised and the intruders used the taxpayer identity information to access the system.  They authenticated themselves with “out-of-wallet” personal information, also known as knowledge based authentication (KBA), which was obtained from the internet and other sources.

During the hearings, Koskinen further characterized the details for the breach as follows:  

  • 35,000 of the affected taxpayers had already filed 2014 income tax returns, ensuring their most recent refunds were safe  
  • 33,000 cases of stolen info, there is no tax return for the past year (i.e. some of the SSNs are associated with children)  
  • 23,500 unsuccessful, probably fraudulent returns 
  • 13,000 suspect returns filed and $39 million in refunds issued

Koskinen, IRS CTO Terry Millholland and Treasury IG for tax administration J. Russell George, attributed the breach to several factors:  IRS systems age, system design flaws and underfunding.

Some of the systems underpinning the Get Transcripts application are over 50 years old.  The software manufacturers don’t support or provide patches for these aging systems anymore.  Additionally, when authentication processes for the Get Transcripts application were designed several years ago, cyber criminals were not as sophisticated as today.  The system wasn’t built to handle this type of threat.  IRS is challenged with protecting taxpayer information, but not making the system so unruly to access that taxpayers find it cumbersome and prohibitive to use.  

Many security experts agree that two-factor authentication is needed to make IRS systems more secure.  Two-factor authentication involves using an independent means to verify identity, such as sending a confirmation message to the e-mail address that was used to establish the original account.  Although this type of authentication is widespread in the private sector financial industry, it’s not easily implemented at IRS. "Part of our problem is that we can't communicate with taxpayers electronically at all yet — we never send emails back and forth because we have no security for that," Koskinen stated.  "If we could communicate with taxpayers electronically, that would accomplish a lot of our goals. One of them would be that we could communicate with taxpayers in the same ways that financial institutions do today: they can send you an email to your email address, because they know ahead of time that it's your email address."

 

Even though Koskinen hesitated to blame the breach solely on budget cuts, he admitted that they did play a role.  The IRS budget dropped from $12.15 billion in FY 2010 to $10.9 billion this year.

 

Koskinen stated that “Congress can help by approving the president’s FY 2016 budget request, which includes $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure.” “Even with our constrained resources as a result of cuts to our budget totaling $1.2 billion since 2010, we continue to devote significant time and attention to” the challenge of securing systems and protecting taxpayer information from identify thieves.  These efforts have borne fruit as evidenced in George’s testimony stating that during the 2013 filing season, the agency prevented between $22 billion and $24 billion in identity theft tax refunds from being issued.

 

Koskinen also urged committee members to restore the IRS’s ability to quickly fill posts critical to IRS mission and requiring a high level of expertise, termed the “streamlined critical pay authority.”  This authority would help IRS get the specialists it needs while circumventing the typically months-long federal hiring process.

 

Koskinen assured lawmakers that IRS will soon "announce an agreement on short-term solutions to help better protect personal information in the coming tax filing season and to continue to work on longer-term efforts to protect the integrity of the nation's tax system."  Koskinen is working with state tax administrators and tax preparation companies in order to increase security measures and information sharing for the 2015 tax season.