IRS

IRS Reveals Your Tax Data to Visitors, Unauthorized Workers, and Former Employees

Filing your return is like playing the identity theft lottery!

|

Matthew G Bisanz

Former Internal Revenue Service employees have access to your sensitive financial information. So do current employees who aren't authorized to see such data. Even some visitors to IRS facilities may have access to sensitive material. Unless the IRS patches up its information security, warns a Government Accountability Office report, "taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes."

For a tax collection agency with a history of putting taxpayers at risk, the GAO report is, unfortunately, just more of the same.

It's not as if IRS officials don't know they have a problem. They do. And they went through the difficulty of purchasing more secure systems and creating new rules. But purchase orders and bureaucratic handbooks are one thing; follow-through is entirely another. Notes IRS Needs to Continue Improving Controls over Financial and Taxpayer Data, released March 19:

A key reason for the information security weaknesses in IRS's financial and tax processing systems was that, although the agency has developed and documented a comprehensive agency-wide information security program, it had not effectively implemented elements of it.

Specifically, the IRS didn't effectively control physical access to its facilities by current and former employees and even by visitors. "Because employees and visitors may be allowed inappropriate access to restricted areas, IRS has reduced assurance that its computing resources and sensitive information are being adequately protected from unauthorized access."

The tax agency also kept accounts with access to sensitive information active for years after their removal had been requested (passwords and accounts weren't set to change or expire). At least one application was managed by a "generic account." And databases weren't isolated from each other, so that employees with access to one could pull up information from another that had nothing to do with their jobs.

IRS had configured multiple Oracle databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties, and affecting IRS's ability to control the integrity of the data.

Note that the GAO report comes after revelations that the IRS has a habit of rehiring people it fired for snooping through data or otherwise misbehaving on the job. That may help to explain why its employees are regularly exposed as identity thieves and filers of fraudulent returns. The tax agency also improperly turns over sensitive data about taxpayers to law enforcement agencies.

The new report just makes it clear how consistently bad the IRS is at handling and protecting our information. Overall, it's hard to avoid the conclusion that all of the sensitive details about us, our finances, and our personal lives, carelessly stored in IRS databases and made available with little thought to (it seems) anybody with an unhealthy curiosity, is so much hacker bait.

NEXT: The New York Times, a Corporation, Worries That the First Amendment Is Now 'Embraced by Corporations'

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Unless the IRS patches up its information security, warns a Government Accountability Office report, “taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.”

    And the IRS will be exposed to… no repercussions whatsoever.

    1. Of course not. And if you want to question that, you certainly will be.

    2. I make up to usd90 an hour working from my home. My story is that I quit working at Walmart to work online and with a little effort I easily bring in around $40h to usd86h Someone was good to me by sharing this link with me, so now i am hoping i could help someone else out there by sharing this link……… Try it, you won’t regret it!… http://www.jobs-check.com

  2. It’s OK when the government does it, but Target and Home Depot must pay!!!!!

    1. One of the reasons they come down on the likes of Target is to distract from their own rampant security failures. “See, we’re doing our job and protecting your information! Don’t look over here at the IRS though!”

  3. Unless your name is Lois Lerner.

  4. Very well, then I hereby enjoin the IRS from further collection, enforcement, or other activity, including having any access to taxpayer (or nonpayer) data. This is a citizen’s injunction.

    1. I’m not sure which is more pitiable ProLib: your delusion that your proclamations carry any weight, or your retarded delusion that any limits can be enforced on the IRS.

      1. I hereby lift my injunction in regards to Hugh.

  5. A simplification of the tax code to greatly reduce the IRS’ exposure might cost me a job, but it might be worth it.

    1. Everyone is shocked when I tell them I support tax simplification, which most likely means I am out of a job.

      There is no passion here, this paper work shuffling is bullshit. I do it for the money.

      1. I’d prefer to get back into auditing anyway, to be quite honest.

  6. Realize that this will only get worse, since their incentives to do something about it are almost nil, because no one will be held accountable.

    I have a feeling there’s going to a major, covers-a-significant-portion-of-taxpayers fuckup at some point (if it hasn’t happened already and just been papered over).

    1. I think it’s happened already and has been covered up. We’ve got to learn to fully accept the criminal enterprise called government is, in fact, criminal.

      1. I don’t need to learn something I’ve know for 20 years, ProL.

        1. You only mostly accept. That’s why you can’t levitate cars and stuff.

  7. The tax agency also kept accounts with access to sensitive information active for years after their removal had been requested (passwords and accounts weren’t set to change or expire).

    If my company did this they would be subject to criminal charges.

    My password expires every 4 months. I am 100% certain that any employee who left the company would have their badge deactivated on their termination date.

    1. My password expires every 4 months. I am 100% certain that any employee who left the company would have their badge deactivated on their termination date.

      Hazel, my password expires every 60 days, and we deactivate badges and accounts on the day they finish out processing. The IRS is a different animal though.

    2. The DoD office that uses the software we help to maintain can’t get its administrators to close accounts when people leave. So we’re working on automating the locking of unused accounts, since they can’t be bothered to do it themselves.

    3. If my company did this they would be subject to criminal charges.

      I don’t think a certain medical non-profit favored by Democrats has faced criminal charges for not setting passwords to expire and for sharing passwords.

  8. SHUT. IT. DOWN.

  9. In fairness to the IRS, maybe having a single agency that owns every adult in America’s most personal financial information isn’t such a good idea? I am pretty sure no organization short of one run by God himself would be up to the job of totally securing that amount of information.

    This story says more about the need to kill the IRS and think of a new way to collect taxes than it does about IRS incompetence.

    1. I initially read your sentence as “…a single agency that owns every adult in America….”

      This might be one of those new-fangled toe-may-toe/toe-mah-toe situations though.

    2. Um, They could at least implement standard business practices that every major corporation follows. Like deactivating unused accounts, having passwords expire periodically, and limiting building access to people with valid badges.

      Do their buildings not even have card readers on the doors? WTF?

      1. I’m sure they have such policies in place, but they’re not enforced. They face no consequences, so there’s no incentive.

        1. People can be fired at Citibank and Target. That didn’t seem to keep their systems very secure. I don’t care if you started shooting everyone who didn’t follow the protocols, the system still would be vulnerable because every system is.

          1. I understand what you’re saying, but you’re missing the point. Like I said in my above comment, the DoD office who uses out software can’t get its administrators to deactivate users. They can’t be bothered. So we have to automate it. In the private sector such administrators would be fired. But not in government.
            Not only that, but people choose to do business with Target. Not so with the government. So to keep customers coming back, Target must at least appear to make an effort to secure their data. Not so with the government.
            Incentives matter.
            Though I do agree that the best solution is to not keep all that data in the first place.

            Oh, and proving that something is not Constitutional is indeed proving a negative, because it’s proving a not which is negative. Ass.

            1. I see your point. My point is that even if you fixed that, having an IRS and one giant database with everyone’s information in it would still be a bad idea.

          2. In my experience, banks are paranoid in terms of security while law firms don’t care about security.

            Health care companies? in between.

      2. Even if they did, no system is perfect. You could say the same thing about credit card companies and department stores. And they lose information all of the time.

        The fact is no information is perfectly safe. The only answer is not to collect it in the first place whenever you can.

  10. kill the IRS and think of a new way to collect taxes

    Federal sales tax? That is about the only way you could do it. And you would still have to have agents who would audit the companies. But it would certainly get rid of the requirement to keep data on people.

    1. Yes, if we need taxes (ducks quickly, stands back up) they should be collected as efficiently as possible.

  11. Seems like another great reason to not file a tax return!

    1. There are a million good reasons not to file a return.

      Unfortunately, the one reason you must file a return reigns supreme.

  12. “taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.”

    The real financial crime being the tax code itself.

  13. my co-worker’s ex-wife makes $88 every hour on the laptop . She has been laid off for nine months but last month her pay was $17807 just working on the laptop for a few hours. read the full info here…………..

    http://www.Jobsyelp.com

  14. I buy almost everything except food and clothing from online auctions most people aren’t aware of the almost I unbelievable deals that they can get from online auction sites the site that has the best deals is
    ??? www?Jobs-Fashion?com

Please to post comments

Comments are closed.