IRS needs to do more to fight cyberattacks, watchdog says
WASHINGTON (AP) -- The IRS has failed to implement dozens of security upgrades to combat cyberattacks, leaving the agency's computer systems vulnerable to hackers, a government watchdog told Congress Tuesday.
The agency's inspector general outlined the security weaknesses a week after the IRS announced that criminals had stolen the personal information of 104,000 taxpayers from an IRS website. The IRS believes the information was stolen as part of an elaborate scheme to claim fraudulent tax refunds.
"The IRS faces the daunting task of protecting its data and IT environment from the ever-changing and rapidly-evolving hacker world," said J. Russell George, the Treasury inspector general for tax administration. "This incident provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers, who are anonymous, persistent, and have access to vast amounts of personal data and knowledge."
Each year, George's office audits the IRS's security systems and recommends improvements. As of March, 44 of those upgrades had not been completed, George said. Ten of the recommendations were made more than three years ago.
George could not say whether the security upgrades would have prevented the recent breach. However, he added: "It would have been much more difficult had they implemented all of the recommendations that we made."
George and IRS Commissioner John Koskinen testified at a hearing Tuesday by the Senate Finance Committee.
Koskinen said budget cuts have hampered the IRS's ability to upgrade its computer systems. The IRS said funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015, a drop of more than 20 percent.
Overall, the agency's funding has been cut by more than $1 billion since 2010, to $10.9 billion this year.
? "We can't on one hand reprimand the IRS for not better protecting taxpayer's sensitive information, while on the other, we slash their budget," said Sen. Tom Carper, D-Del.
Republicans were less sympathetic to claims of inadequate funding.
"Any questions regarding funding levels for the agency should wait until we have a complete understanding about what occurred," said Sen. Orrin Hatch, R-Utah, chairman of the Finance Committee.
Despite the cuts, the IRS has stepped up efforts to combat criminals who use identity theft to claim fraudulent tax refunds, Koskinen said.
This year, the agency's computer filters stopped almost 3 million suspicious returns before they were processed, Koskinen said. That's an increase of 700,000 from last year.
The taxpayer information was stolen from an IRS website called "Get Transcript," where taxpayers can get tax returns and other tax filings from previous years.
The breach doesn't appear to be a traditional hack. The thieves already had detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address. They presumably stole the information elsewhere, the IRS said.
The thieves used the information to access the IRS website. Koskinen said old tax returns could help criminals prepare more authentic-looking tax returns in the future, which they could use to claim fraudulent refunds.
IRS investigators believe the thieves were based in Russia, two officials who were briefed on the matter told The Associated Press. The officials spoke on condition of anonymity because they were not authorized to speak publicly about an ongoing criminal investigation.
On Tuesday, George said the criminals were based in Russia and other countries, which he would not name.
The revelation highlights the global reach of many cyber criminals. It could also complicate efforts to prosecute the offenders.
Koskinen said an increasing number of cyberattacks are coming from Eastern Europe and Asia. However, he said, foreign governments are often slow to help the IRS.
"As a general matter we don't get a lot of cooperation," Koskinen said.
(Copyright 2015 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.)