IRS remains a prime target for data thieves

  • 11 October 2017
  • NormanL

We noted last week that the IRS awarded Equifax, the credit bureau whose massive databases on American consumers were hacked earlier this year, a multi-million dollar, no-bid contract to help prevent identity theft.

The IRS stands by the deal, despite Equifax's growing troubles since the data breach. But the story gets worse. Our friends at Americans for Tax Reform write that the IRS itself remains a prime target for hackers because the agency continues to use old, outdated, and insecure technology. More on that in a moment. First, though, we learn this about the Equifax contract:

The House Ways and Means Oversight Subcommittee conducted a hearing last week exploring the IRS’s IT practices following the news that the agency awarded a $7.25 million contract to Equifax just a week after that company was responsible for a major data breach compromising confidential data of 145 million American taxpayers.

Alarmingly, neither IRS Chief Information Officer Gina Garza, nor Jeffrey Tribiano, Deputy Commissioner for Operations Support, were aware that the contract with Equifax was signed until the morning of the hearing.

As noted by David Powner, Director of IT Management Issues at the Government Accountability Office, this represents a major breakdown in IRS management as CIO’s are required by law to approve major IT contracts such as the one awarded to Equifax:

“CIOs should approve the IT budget, they should approve major IT contracts, that’s a provision in the law… I can tell you right now that was put in there because of this stuff [referencing the Equifax funding granted by the IRS].”

There have been so many management breakdowns at the IRS in recent years, we've become jaded to revelations of fresh failures. But this one raises critical questions about how such a lucrative contract could be awarded -- with none of the relevant authroities aware of it -- to a company that has proven it is incapable of protecting sensitive data.

Then again, we're talking about the IRS...which insists on making itself a ripe target for hackers:

The Equifax data breach should come as no surprise as IRS practices have been investigated by independent watchdogs on a number of occasions.

Last year, a TIGTA review found that the IRS’s outdated systems were leaving taxpayer data at risk, noting that “the use of outdated operating systems may expose taxpayer information to unauthorized disclosure, which can lead to identity theft.  Further, network disruptions and security breaches may prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries.”

Another review revealed that poorly articulated and badly enforced data retention policies were responsible for the destruction of laptops and critical records, hindering the ability of taxpayers to hold the agency accountable.

Concerns about the IRS’s mishandling of private information have prompted the GOP’s proposed Taxpayer Bill of Rights, designed to protect (amongst other things), the privacy and confidentiality of American taxpayers by holding the agency accountable and affording taxpayers a means of redress.

The Oversight Committee found that the IRS has retained outdated 20th-century technology that puts citizen data at risk instead of developing or implementing integrated cloud technology which is the industry standard.

There are calls for major reform at the IRS. We share those (and more broadly, reforms to the tax code that would significantly reduce the size and power of the agency). But we are also left to wonder why IRS commissioner John Koskinen, once the target of a GOP impeachment drive, is still allowed to retain his post under the Trump administration.

It was bad enough when then Justice Department decided to drop the Lois Lerner case, at thumbed its nose at holding IRS bureaucrats accountable for staging political witch hunts. The IRS also seems intent on putting everything it knows about you, and your finances, at risk to data theft. Heads shouldn't just roll at the IRS, the agency should be fumigated and de-loused afterwards.