The IRS needs to step up its cyberecurity efforts, said members of the Senate Finance Committee, citing two recent data breaches at the agency, along with 94 open cybersecurity recommendations from the Government Accountability Office.
"Hackers and crooks, including many working for foreign crime syndicates, are jumping at every opportunity they have to steal hard-earned money and sensitive personal data from U.S. taxpayers," Senator Ron Wyden, an Oregon Democrat, said during a hearing. "In my view, taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them."
Senators noted a breach, discovered last May, in the IRS Get Transcript service, which allows taxpayers to request copies of old tax returns. The breach allowed attackers access to more than 720,000 taxpayer accounts between January 2014 and May 2015, the IRS said.
Last month, the IRS suspended a Web-based service allowing taxpayers to retrieve so-called IP Protection PINs (IP PINs), a six-digit ID number, after security problems with the service. Attackers were able to access the e-file PINs connected to more than 100,000 Social Security numbers in a January attack, the IRS said.
The agency was issuing the PINs using only single-factor authentication, a violation of federal standards, said J. Russell George, inspector general for tax administration in the Department of the Treasury.
After the IRS mailed PINs to the Get Transcript hacking victims, "it repeated its mistake and used lax security online," Wyden said. "For the tax scammers, once again it was as easy as going online, plugging in the personal data you’ve already stolen, and pretending to be somebody who’s lost their IP PIN. So after leaving the front door open, the IRS left the back door open, too. There is no excuse for this."
The IRS breaches are among a growing list of major government breaches. Just this month, the Philippine Commission on the Elections said the personal information of about 70 million people was compromised by hackers. And a hacking group called Cyber Justice Team leaked data from several Syrian government and private websites.
The IRS isn't the only weak link in U.S. taxpayer security, Wyden said. E-file vendors have had their own security problems, he said, and congressional authority allowing the IRS to streamline its cybersecurity hiring process has lapsed.
The streamlined hiring authority is important, said John Koskinen, the agency's commissioner. Most qualified cybersecurity workers won't wait around for the three- to six-month standard federal hiring process, he said.
The IRS is working hard to improve its cybersecurity, Koskinen added. The agency has gotten more than 2,000 security recommendations from the GAO and the Treasury Department's inspector general in recent years, and it has implemented more than 80 percent of them, he said.
Security of taxpayer information is a "top priority," Koskinen said. IRS systems withstand more than 1 million malicious attempts to access data each day, he added.
But Senator Chuck Grassley, an Iowa Republican, questioned why the IRS hasn't implemented some inexpensive GAO recommendations, like changing the passwords on some of its servers every 90 days or providing online security training to new contractors.
"Would you agree that these are low-cost changes that could improve computer security" Grassley asked Koskinen. "Why haven't they been done"
The IRS is moving away from passwords, which are "somewhat questionable" in terms of providing security, and toward access cards, Koskinen said. "We are working as quickly as we can" to implement other recommendations, he added.