IRS makes infosec strides after Get Transcript breach, but challenges remain

IRS officials charged with protecting and authenticating taxpayer data are getting better at their jobs – but so are fraudsters.

A Government Accountability Office audit released July 23 gave the agency mostly passing marks on the fundamentals of identity authentication. However, auditors also identified a range of incomplete tasks with uncertain funding mandates as well as a burgeoning threat landscape that threatens to overwhelm the cash-strapped agency's cybersecurity and IT resources.

Online services – which accounts for 16.5 million of the approximately 28.5 million people authenticated in 2017 – fared the best, with auditors noting IRS "regularly assesses risks and monitors" its online applications but "has not established equally rigorous internal controls for its telephone, in-person and correspondences channels."

Officials have started holding regular "security summits" with industry and cybersecurity experts to gain better insight into the current threat landscape. A strategic road map developed in 2016 outlined core strategic objectives for achieving better identity proofing and unearthed dozens of recommended steps to get there.

However, auditors noted that in many cases, officials at the tax agency have failed to match those projects with available funding or agency resources, leading to concerns that momentum could stall or the projects could become de-prioritized.

The findings come as IRS faces increasing threat from hackers, identity thieves and a boom in tax refund fraud. Fraudsters made off with $1.6 billion in identity theft tax refund fraud in 2016, but the IRS says it managed to successfully block an additional $10.5 billion in illegal transactions. Earlier this month, the agency created a new resource guide on data protection for tax professionals and updated another publication on safeguarding taxpayer data.

Additionally, the agency has faced criticism in Congress and within the information security community for a range of stumbles around protecting sensitive data in recent years. A day after GAO released its audit, the Treasury inspector general released a separate report flagging security vulnerabilities in one of the IRS' customer online portals, finding that the status quo "unnecessarily expose[s] taxpayer data to unauthorized access and disclosure."

The biggest threat identified in the report was not any particular weakness in the IRS network, but rather the increasing sophistication and adaptability of attackers.

Charles Rettig, the Trump administration's nominee for IRS commissioner, has said that modernizing IRS systems to facilitate better protection of taxpayer data will be one of his top priorities if confirmed.