The IRS came under fire Tuesday on Capitol Hill over fresh concerns that taxpayer information remains at risk from cyber attacks. IRS Commissioner John Koskinen was called before the Senate Finance Committee to answer questions about cybersecurity, after a report from the Government Accountability Office flagged “significant” security issues — months after a breach that compromised the files of hundreds of thousands of taxpayers.
“There is no excuse for this,” Sen. Ron Wyden, D-Ore., said of the IRS’ cyber-vulnerabilities.
GAO head Gene Dodaro, the comptroller general, detailed the findings of his agency’s March report, which said the IRS has not effectively implemented many recommended security measures and is vulnerable to hacking attempts.
In his testimony, he cited weaknesses such as easily guessed system passwords, officials being given rights and privileges beyond what they need to have, and systems that should be encrypted but are not. The GAO made dozens of security recommendations.
“We’re hopeful they will rigorously implement our recommendations over the next few years, all 94 that we have outstanding,” Dodaro said.
The cyber thieves hacked into the agency’s “Get Transcripts” system where taxpayers get returns and other prior-year filings. The breach was discovered in May 2015.
Koskinen conceded there was still a lot of work to do, and said the threat of cyberattacks has evolved from a few individuals filing a few hundred fake refunds to organized crime syndicates with access to large amounts of data.
“We are in the process of developing a strong and coordinated authentication framework,” Koskinen said. “Our goal is to have the strongest possible authentication process for our online services while maintaining the ability of taxpayers to access their data and use IRS services online.”
Ranking Democratic Sen. Wyden was scathing in his criticism of the agency, calling its failures “unacceptable.” He pointed to not only weaknesses in the “Get Transcripts” system, but also in the Identity Protection PIN numbers sent to hacking victims. Wyden said those numbers allowed hackers to plug in the same data and merely pretend to have lost the PIN number.
“So after leaving the front door open, the IRS left the back door open, too,” Wyden said.
However, Wyden said there was “a lot of blame to go around” in security risks to taxpayers, pointing also to weaknesses in private firms and Congress’ decision not to renew “streamlined critical pay authority” – which allows the IRS to offer higher than normal salaries in certain critical areas in order to attract highly skilled candidates.
He said there has been an “exodus” of high-ranking IRS tech staff.
J. Russell George, the Treasury inspector general for tax administration, told lawmakers there was still a lot to be done and while the IRS is working to implement the GAO recommendations, a number of security checks still do not comply with government standards.
He also called for Congress to increase funding and resources for the IRS, after acknowledging the $290 million in additional funding given to the agency in fiscal 2016 that included funds to fight cyber fraud and identity theft. He called for the reauthorization of streamlined critical pay authority – which he said is required to hire high top-level staff for important positions.
The hearing came less than a week before the newly extended April 18 deadline for taxpayers to file their taxes.