The U.S. Internal Revenue Service, the Congress, and private electronic tax-filing vendors aren't doing enough to protect the personal information of taxpayers, senators said Tuesday.
The IRS needs to step up its cyberecurity efforts, said members of the Senate Finance Committee, citing two recent data breaches at the agency, along with 94 open cybersecurity recommendations from the Government Accountability Office.
"Hackers and crooks, including many working for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from U.S. taxpayers," Senator Ron Wyden, an Oregon Democrat, said during a hearing. "In my view, taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them."
Senators noted a breach, discovered last May, in the IRS Get Transcript service, which allows taxpayers to request copies of old tax returns. The breach allowed attackers access to more than 720,000 taxpayer accounts between January 2014 and May 2015, the IRS said.
Last month, the IRS suspended a Web-based service allowing taxpayers to retrieve so-called IP Protection PINs (IP PINs), a six-digit ID number, after security problems with the service. Attackers were able to access the e-file PINs connected to more than 100,000 Social Security numbers in a January attack, the IRS said.
The agency was issuing the PINs using only single-factor authentication, a violation of federal standards, said J. Russell George, inspector general for tax administration in the Department of the Treasury.
After the IRS mailed PINs to the Get Transcript hacking victims, "it repeated its mistake and used lax security online," Wyden said. "For the tax scammers, once again it was as easy as going online, plugging in the personal data you’ve already stolen, and pretending to be somebody who’s lost their IP PIN. So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this."
The IRS breaches are among a growing list of major government breaches. Just this month, the Philippine Commission on the Elections said the personal information of about 70 million people was compromised by hackers. And a hacking group called Cyber Justice Team leaked data from several Syrian government and private websites.
The IRS isn't the only weak link in U.S. taxpayer security, Wyden said. E-file vendors have had their own security problems, he said, and congressional authority allowing the IRS to streamline its cybersecurity hiring process has lapsed.
The streamlined hiring authority is important, said John Koskinen, the agency's commissioner. Most qualified cybersecurity workers won't wait around for the three- to six-month standard federal hiring process, he said.
Sign up for Computerworld eNewsletters.