Is IRS dropping the risk assessment ball?

IRS Headquarters in Washington, D.C. (Photo credit: Rob Crandall /

As far as everyone knows, troves of taxpayer records maintained by the IRS have never been breached. But watchdogs are concerned by the leadership decisions that enabled fraudsters to snatch sensitive information through the digital front door.

"A risk assessment was done for Get Transcript," said Treasury Inspector General for Tax Administration J. Russell George. "And they made the wrong call."

Get Transcript is a web tool that IRS officials took down in May 2015 after fraudsters exploited the knowledge-based security and took tax data for more than 700,000 taxpayer accounts. In March 2016, the IRS suspended another online tool, its Identity Protection Personal Identification Number (IP PIN) retrieval tool, over similar concerns.

Testifying before the House Committee on Science, Space and Technology's Research and Technology Subcommittee, George said the IRS didn't conduct a thorough enough risk assessment of the IP PIN tool, especially after the botched assessment of Get Transcript.

George's office had repeatedly called for the IP PIN retrieval tool to be taken offline before IRS finally acknowledged a potential breach and nixed it.

IRS Commissioner John Koskinen defended knowledge-based security as a good practice when it was first implemented by the IRS in 2011.

"It's not as if anybody could walk in and answer those questions," he said at the time, noting one-fifth of taxpayers couldn't even answer their own questions.

Since 2011, however, a deluge of data breaches has rendered the practice much less effective.

Koskinen stressed the fact that IRS' own taxpayer records database hasn't been hacked; the taxpayer info that fueled the Get Transcript and IP PIN breaches came from outside the tax agency.

"The basic database has been secure," Koskinen said. "We hope it remains secure."

He said IRS is working on system segmentation – "So if you actually get into the database you can't run barefoot through it all" – and two-factor authentication.

But as it tries to maintain its cybersecurity posture, the agency is facing a leadership exodus.

The agency's cybersecurity director has already left, and its chief technology officer will soon likely leave as well. Both were hired under a streamlined critical pay authority that the IRS no longer has – and which Koskinen says it desperately needs to effectively hire and retain top tech talent.

Going forward, Koskinen pushed back against suggestions that IRS should limit online services in order to promote security. For IRS, offering more services online is the clear vision of the future.

But for their part, lawmakers indicated that on the security-versus-convenience question, they favor the former.

"Taxpayer protection should be the guiding force" as IRS invests its limited budget, said Rep. Paul Tonko (D-N.Y.).

"I assure you," echoed Rep. Barbara Comstock (R-Va.), "more security is better than less."

About the Author

Zach Noble is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.