Breach, Data Security, Threat Management

IRS commissioner appears before Senate, attributes breach, in part, to budget cuts

In a pair of Senate hearings on Tuesday IRS Commissioner John Koskinen blamed outdated equipment and budget cuts for the agency's reliance on online services such as "Get Transcript," which was at the heart of a recent breach that affected nearly 104,000 taxpayers, as well as for its inability to enact additional security measures.

IRS funding has been cut by more than $1 billion since 2010 to $10.9 billion this year.

In the first testimony with the Senate Finance Committee, Koskinen pointed out that cyber criminals were able to breach an IRS system using information obtained from non-IRS sources. He defended the use of "Get Transcript," noting that it helped the agency to quickly serve more than 23 million taxpayers that it would have been nearly impossible to process efficiently while the agency's call centers and walk-in offices were jam-packed during the 2015 tax season.

“If this application had not existed and these taxpayers had to call or write us to order a transcript, it would have stretched our limited resources even further,” Koskinen said.

Treasury Inspector General Russell George suggested the IRS's push for more online services will only make taxpayer data more vulnerable to data breaches. George also predicted that cyber attacks will rise as a preliminary investigation revealed an increase in cyber attacks from Russia and over a dozen other countries. 

Not all of the compromised data in the IRS breach led to fraudulent payouts, but Koskinen told the committee that the breach resulted in about 13,000 fraudulent tax returns that cost the government $39 million. Some of them were flagged as suspicious or were denied because legitimate returns had already been filed. The IRS suspects hackers will use the data stolen in the breach for the 2016 tax season as well.

"Tax refund fraud exploded between 2010 and 2012," Koskinen told the Finance Committee. And it's only gotten worse. Between 2011 and 2014, the IRS prevented $63 billion in fraudulent tax refund payouts but paid $5.2 billion to identity thieves in 2011 alone. 

“The IRS is not and will never be exempted from this constant threat,” Senate Finance Committee Chairman Orrin Hatch said. “In fact, there is reason to believe the IRS will be more frequently targeted in the future.”

In the second hearing with the Department of Homeland Security, Sen. Ron Johnson, R-Wis., criticized the IRS for having a security authentication process that allowed the cybercriminals to repeatedly access accounts using the the same email address. 

"That's a relatively significant flaw,” Johnson said. “Each email has got to be a unique email.”

Koskinen explained that the IRS hadn't implemented the unique email feature because they don't have the resources to securely communicate directly with taxpayers via email. 

The IRS commissioner went on to say that secure email communications would allow the agency to improve its current two-factor authentication process that uses security questions. This method was criticized in light of the breach because cybercriminals were able to track down answers through information that is readily available online. 

IRS Chief Technology Officer (CTO) Terence Millholland said that the IRS first has to determine how it wants to interact with taxpayers before choosing how to improve the current two-factor process.

“We fundamentally have to decide [if we are] going to set up accounts for taxpayers so they can file directly,” he said.

Millholland went on to say that, if they do, they will consider biometric authentications such as finger printing as a secondary factor. 

Koskinen also said the IRS is planning to partner with tax software companies as well as state governments to share data and ensure better security measures in 2016.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.