Is IRS dropping the risk assessment ball?

IRS Headquarters in Washington, D.C. (Photo credit: Rob Crandall /

As far as everyone knows, troves of taxpayer records maintained by the IRS have never been breached. But watchdogs are concerned by the leadership decisions that enabled fraudsters to snatch sensitive information through the digital front door.

"A risk assessment was done for Get Transcript," said Treasury Inspector General for Tax Administration J. Russell George. "And they made the wrong call."

Get Transcript is a web tool that IRS officials took down in May 2015 after fraudsters exploited the knowledge-based security and took tax data for more than 700,000 taxpayer accounts. In March 2016, the IRS suspended another online tool, its Identity Protection Personal Identification Number (IP PIN) retrieval tool, over similar concerns.

Testifying before the House Committee on Science, Space and Technology's Research and Technology Subcommittee, George said the IRS didn't conduct a thorough enough risk assessment of the IP PIN tool, especially after the botched assessment of Get Transcript.

George's office had repeatedly called for the IP PIN retrieval tool to be taken offline before IRS finally acknowledged a potential breach and nixed it.

IRS Commissioner John Koskinen defended knowledge-based security as a good practice when it was first implemented by the IRS in 2011.

"It's not as if anybody could walk in and answer those questions," he said at the time, noting one-fifth of taxpayers couldn't even answer their own questions.

Since 2011, however, a deluge of data breaches has rendered the practice much less effective.

Koskinen stressed the fact that IRS' own taxpayer records database hasn't been hacked; the taxpayer info that fueled the Get Transcript and IP PIN breaches came from outside the tax agency.

"The basic database has been secure," Koskinen said. "We hope it remains secure."

He said IRS is working on system segmentation – "So if you actually get into the database you can't run barefoot through it all" – and two-factor authentication.

But as it tries to maintain its cybersecurity posture, the agency is facing a leadership exodus.

The agency's cybersecurity director has already left, and its chief technology officer will soon likely leave as well. Both were hired under a streamlined critical pay authority that the IRS no longer has – and which Koskinen says it desperately needs to effectively hire and retain top tech talent.

Going forward, Koskinen pushed back against suggestions that IRS should limit online services in order to promote security. For IRS, offering more services online is the clear vision of the future.

But for their part, lawmakers indicated that on the security-versus-convenience question, they favor the former.

"Taxpayer protection should be the guiding force" as IRS invests its limited budget, said Rep. Paul Tonko (D-N.Y.).

"I assure you," echoed Rep. Barbara Comstock (R-Va.), "more security is better than less."

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.