WASHINGTON (AP) — Government watchdogs warned the IRS about security flaws in the agency’s computer systems years before hackers stole the personal information of thousands of taxpayers from an IRS website.
Now IRS Commissioner John Koskinen is heading to Capitol Hill to answer questions about why the tax agency didn’t address those weaknesses.
“Computer security has been problematic for the IRS since 1997,” the agency’s inspector general said in an October memo to Treasury Secretary Jacob Lew. In the memo, inspector general J. Russell George said securing taxpayer and employee data was the IRS’s top management challenge.
More recently, the Government Accountability Office issued a report in March that identified dozens of weaknesses in the IRS’s computer security. Until those weaknesses are fixed, “financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure,” the GAO said.
Criminals stole the personal information of 104,000 taxpayers from an IRS website from February to mid-May, the agency disclosed last week. The information was stolen as part of an elaborate scheme to claim fraudulent tax refunds, Koskinen told reporters.
IRS investigators believe the thieves were based in Russia, two officials who were briefed on the matter told The Associated Press. The officials spoke on condition of anonymity because they were not authorized to speak publicly about an ongoing criminal investigation.
Koskinen and George are scheduled to testify before the Senate Finance Committee Tuesday morning. Koskinen also is appearing before the Senate Homeland Security Committee Tuesday afternoon.
“Last week’s devastating announcement that the private information of over 100,000 taxpayers had been compromised sent shock waves through the halls of Congress,” said Sen. Orrin Hatch, R-Utah, chairman of the Finance Committee. “Given that the IRS’s own internal watchdog has repeatedly warned that their security system was not up to par, we need to find out exactly what happened, who is behind it, and how we can move forward to ensure it never happens again.”
The IRS blames budget cuts for hampering the agency’s ability to upgrade its computer systems. In a statement, the IRS said funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015, a drop of more than 20 percent.
Overall, the agency’s funding has been cut by more than $1 billion since 2010, to $10.9 billion this year.
Koskinen has said the IRS is still using some computer applications that date to the Kennedy administration. In February, he warned Congress that budget cuts were preventing the IRS from improving safeguards against identity theft.
“The cuts we are making include delays to critical information technology investments of more than $200 million this year,” Koskinen told the Finance Committee at a hearing. “This means, among other things, that aging IT systems will not be replaced and new taxpayer protections against identity theft will be delayed.”
The thieves took the taxpayer information from an IRS website called “Get Transcript,” where taxpayers can get tax returns and other tax filings from previous years.
The breach doesn’t appear to be a traditional hack. The thieves already had detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address. They presumably stole the information elsewhere, the IRS said.
The thieves used the information to access the IRS website. Koskinen said old tax returns could help criminals prepare more authentic-looking tax returns in the future, which they could use to claim fraudulent refunds.
This year, the thieves claimed about 15,000 refunds using information they stole from the website. Koskinen said the refunds totaled as much as $50 million.