IRS Reveals Your Tax Data to Visitors, Unauthorized Workers, and Former Employees

Filing your return is like playing the identity theft lottery!

J.D. Tuccille | 3.24.2015 1:21 PM

Former Internal Revenue Service employees have access to your sensitive financial information. So do current employees who aren't authorized to see such data. Even some visitors to IRS facilities may have access to sensitive material. Unless the IRS patches up its information security, warns a Government Accountability Office report, "taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes."

For a tax collection agency with a history of putting taxpayers at risk, the GAO report is, unfortunately, just more of the same.

It's not as if IRS officials don't know they have a problem. They do. And they went through the difficulty of purchasing more secure systems and creating new rules. But purchase orders and bureaucratic handbooks are one thing; follow-through is entirely another. Notes IRS Needs to Continue Improving Controls over Financial and Taxpayer Data, released March 19:

A key reason for the information security weaknesses in IRS's financial and tax processing systems was that, although the agency has developed and documented a comprehensive agency-wide information security program, it had not effectively implemented elements of it.

Specifically, the IRS didn't effectively control physical access to its facilities by current and former employees and even by visitors. "Because employees and visitors may be allowed inappropriate access to restricted areas, IRS has reduced assurance that its computing resources and sensitive information are being adequately protected from unauthorized access."

The tax agency also kept accounts with access to sensitive information active for years after their removal had been requested (passwords and accounts weren't set to change or expire). At least one application was managed by a "generic account." And databases weren't isolated from each other, so that employees with access to one could pull up information from another that had nothing to do with their jobs.

IRS had configured multiple Oracle databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties, and affecting IRS's ability to control the integrity of the data.

Note that the GAO report comes after revelations that the IRS has a habit of rehiring people it fired for snooping through data or otherwise misbehaving on the job. That may help to explain why its employees are regularly exposed as identity thieves and filers of fraudulent returns. The tax agency also improperly turns over sensitive data about taxpayers to law enforcement agencies.

The new report just makes it clear how consistently bad the IRS is at handling and protecting our information. Overall, it's hard to avoid the conclusion that all of the sensitive details about us, our finances, and our personal lives, carelessly stored in IRS databases and made available with little thought to (it seems) anybody with an unhealthy curiosity, is so much hacker bait.

The Rattler is a weekly newsletter from J.D. Tuccille. If you care about government overreach and tangible threats to everyday liberty, this is for you.

NEXT: The New York Times, a Corporation, Worries That the First Amendment Is Now 'Embraced by Corporations'

Hide Comments (40)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

Dweebston 10 years ago

Unless the IRS patches up its information security, warns a Government Accountability Office report, "taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes."

And the IRS will be exposed to... no repercussions whatsoever.
1. John Galt 10 years ago
  
  Of course not. And if you want to question that, you certainly will be.
2. jumilaokernma 10 years ago
  
  I make up to usd90 an hour working from my home. My story is that I quit working at Walmart to work online and with a little effort I easily bring in around $40h to usd86h Someone was good to me by sharing this link with me, so now i am hoping i could help someone else out there by sharing this link......... Try it, you won't regret it!... http://www.jobs-check.com
Pl?ya Manhattan. 10 years ago

It's OK when the government does it, but Target and Home Depot must pay!!!!!
1. Episiarch 10 years ago
  
  One of the reasons they come down on the likes of Target is to distract from their own rampant security failures. "See, we're doing our job and protecting your information! Don't look over here at the IRS though!"
Fist of Etiquette 10 years ago

Unless your name is Lois Lerner.
Pro Libertate 10 years ago

Very well, then I hereby enjoin the IRS from further collection, enforcement, or other activity, including having any access to taxpayer (or nonpayer) data. This is a citizen's injunction.
1. Hugh Akston 10 years ago
  
  I'm not sure which is more pitiable ProLib: your delusion that your proclamations carry any weight, or your retarded delusion that any limits can be enforced on the IRS.
  1. Pro Libertate 10 years ago
    
    I hereby lift my injunction in regards to Hugh.
chevy706 10 years ago

A simplification of the tax code to greatly reduce the IRS' exposure might cost me a job, but it might be worth it.
1. Certified Public Asskicker 10 years ago
  
  Everyone is shocked when I tell them I support tax simplification, which most likely means I am out of a job.
  
  There is no passion here, this paper work shuffling is bullshit. I do it for the money.
  1. chevy706 10 years ago
    
    I'd prefer to get back into auditing anyway, to be quite honest.
Episiarch 10 years ago

Realize that this will only get worse, since their incentives to do something about it are almost nil, because no one will be held accountable.

I have a feeling there's going to a major, covers-a-significant-portion-of-taxpayers fuckup at some point (if it hasn't happened already and just been papered over).
1. Pro Libertate 10 years ago
  
  I think it's happened already and has been covered up. We've got to learn to fully accept the criminal enterprise called government is, in fact, criminal.
  1. Episiarch 10 years ago
    
    I don't need to learn something I've know for 20 years, ProL.
    1. Pro Libertate 10 years ago
      
      You only mostly accept. That's why you can't levitate cars and stuff.
HazelMeade 10 years ago

The tax agency also kept accounts with access to sensitive information active for years after their removal had been requested (passwords and accounts weren't set to change or expire).

If my company did this they would be subject to criminal charges.

My password expires every 4 months. I am 100% certain that any employee who left the company would have their badge deactivated on their termination date.
1. Ivan Pike 10 years ago
  
  My password expires every 4 months. I am 100% certain that any employee who left the company would have their badge deactivated on their termination date.
  
  Hazel, my password expires every 60 days, and we deactivate badges and accounts on the day they finish out processing. The IRS is a different animal though.
2. sarcasmic 10 years ago
  
  The DoD office that uses the software we help to maintain can't get its administrators to close accounts when people leave. So we're working on automating the locking of unused accounts, since they can't be bothered to do it themselves.
  1. jay_dubya 10 years ago
    
    ldap that shit
3. Puddin' Stick 10 years ago
  
  If my company did this they would be subject to criminal charges.
  
  I don't think a certain medical non-profit favored by Democrats has faced criminal charges for not setting passwords to expire and for sharing passwords.
Raven Nation 10 years ago

SHUT. IT. DOWN.
John 10 years ago

In fairness to the IRS, maybe having a single agency that owns every adult in America's most personal financial information isn't such a good idea? I am pretty sure no organization short of one run by God himself would be up to the job of totally securing that amount of information.

This story says more about the need to kill the IRS and think of a new way to collect taxes than it does about IRS incompetence.
1. Catatafish 10 years ago
  
  I initially read your sentence as "...a single agency that owns every adult in America...."
  
  This might be one of those new-fangled toe-may-toe/toe-mah-toe situations though.
2. HazelMeade 10 years ago
  
  Um, They could at least implement standard business practices that every major corporation follows. Like deactivating unused accounts, having passwords expire periodically, and limiting building access to people with valid badges.
  
  Do their buildings not even have card readers on the doors? WTF?
  1. sarcasmic 10 years ago
    
    I'm sure they have such policies in place, but they're not enforced. They face no consequences, so there's no incentive.
    1. John 10 years ago
      
      People can be fired at Citibank and Target. That didn't seem to keep their systems very secure. I don't care if you started shooting everyone who didn't follow the protocols, the system still would be vulnerable because every system is.
      1. sarcasmic 10 years ago
        
        I understand what you're saying, but you're missing the point. Like I said in my above comment, the DoD office who uses out software can't get its administrators to deactivate users. They can't be bothered. So we have to automate it. In the private sector such administrators would be fired. But not in government.
        Not only that, but people choose to do business with Target. Not so with the government. So to keep customers coming back, Target must at least appear to make an effort to secure their data. Not so with the government.
        Incentives matter.
        Though I do agree that the best solution is to not keep all that data in the first place.
        
        Oh, and proving that something is not Constitutional is indeed proving a negative, because it's proving a not which is negative. Ass.
        
        sarcasmic 10 years ago
        
        *our*
        
        John 10 years ago
        
        I see your point. My point is that even if you fixed that, having an IRS and one giant database with everyone's information in it would still be a bad idea.
      2. Puddin' Stick 10 years ago
        
        In my experience, banks are paranoid in terms of security while law firms don't care about security.
        
        Health care companies? in between.
  2. John 10 years ago
    
    Even if they did, no system is perfect. You could say the same thing about credit card companies and department stores. And they lose information all of the time.
    
    The fact is no information is perfectly safe. The only answer is not to collect it in the first place whenever you can.
Ivan Pike 10 years ago

kill the IRS and think of a new way to collect taxes

Federal sales tax? That is about the only way you could do it. And you would still have to have agents who would audit the companies. But it would certainly get rid of the requirement to keep data on people.
1. Certified Public Asskicker 10 years ago
  
  Yes, if we need taxes (ducks quickly, stands back up) they should be collected as efficiently as possible.
Colonel Nogov 10 years ago

Seems like another great reason to not file a tax return!
1. mad libertarian guy 10 years ago
  
  There are a million good reasons not to file a return.
  
  Unfortunately, the one reason you must file a return reigns supreme.
Paul. 10 years ago

"taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes."

The real financial crime being the tax code itself.
1. Free Society 10 years ago
  
  But potholes!
darryldenna 10 years ago

my co-worker's ex-wife makes $88 every hour on the laptop . She has been laid off for nine months but last month her pay was $17807 just working on the laptop for a few hours. read the full info here..............

http://www.Jobsyelp.com
billieweddle16 10 years ago

I buy almost everything except food and clothing from online auctions most people aren't aware of the almost I unbelievable deals that they can get from online auction sites the site that has the best deals is
??? www?Jobs-Fashion?com

Please log in to post comments

IRS Reveals Your Tax Data to Visitors, Unauthorized Workers, and Former Employees

Filing your return is like playing the identity theft lottery!

Latest

Rise of the Samurai Lawyers

Marco Rubio Says He's Revoked 300 Student Visas Over Campus Activism

Pam Bondi Aims To Revive a Moribund Legal Process for Restoring Gun Rights

Trump Is Sabotaging His 'Drill, Baby, Drill' Agenda

How Backpage Became MILFS.com

Recommended

Login Form