IRS makes infosec strides after Get Transcript breach, but challenges remain

phishing (DesignPrax/ 

IRS officials charged with protecting and authenticating taxpayer data are getting better at their jobs – but so are fraudsters.

A Government Accountability Office audit released July 23 gave the agency mostly passing marks on the fundamentals of identity authentication. However, auditors also identified a range of incomplete tasks with uncertain funding mandates as well as a burgeoning threat landscape that threatens to overwhelm the cash-strapped agency's cybersecurity and IT resources.

Online services – which accounts for 16.5 million of the approximately 28.5 million people authenticated in 2017 – fared the best, with auditors noting IRS "regularly assesses risks and monitors" its online applications but "has not established equally rigorous internal controls for its telephone, in-person and correspondences channels."

Officials have started holding regular "security summits" with industry and cybersecurity experts to gain better insight into the current threat landscape. A strategic road map developed in 2016 outlined core strategic objectives for achieving better identity proofing and unearthed dozens of recommended steps to get there.

However, auditors noted that in many cases, officials at the tax agency have failed to match those projects with available funding or agency resources, leading to concerns that momentum could stall or the projects could become de-prioritized.

The findings come as IRS faces increasing threat from hackers, identity thieves and a boom in tax refund fraud. Fraudsters made off with $1.6 billion in identity theft tax refund fraud in 2016, but the IRS says it managed to successfully block an additional $10.5 billion in illegal transactions. Earlier this month, the agency created a new resource guide on data protection for tax professionals and updated another publication on safeguarding taxpayer data.

Additionally, the agency has faced criticism in Congress and within the information security community for a range of stumbles around protecting sensitive data in recent years. A day after GAO released its audit, the Treasury inspector general released a separate report flagging security vulnerabilities in one of the IRS' customer online portals, finding that the status quo "unnecessarily expose[s] taxpayer data to unauthorized access and disclosure."

The biggest threat identified in the report was not any particular weakness in the IRS network, but rather the increasing sophistication and adaptability of attackers.

Charles Rettig, the Trump administration's nominee for IRS commissioner, has said that modernizing IRS systems to facilitate better protection of taxpayer data will be one of his top priorities if confirmed.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

  • FCW Perspectives
    data funnel (anttoniart/

    Real-world data management

    The pandemic has put new demands on data teams, but old obstacles are still hindering agency efforts.

Stay Connected