W&M Leaders Ask for Information on IRS Security Risk Procedures

Bipartisan W&M Leaders Call for IRS to Provide Information on
Security Risks Affecting Taxpayers and Students

April 28, 2017

WASHINGTON, DC — House Ways and Means Committee Chairman Kevin Brady (R-TX), Ways and Means Committee Ranking Member Richard Neal (D-MA), Oversight Subcommittee Chairman Vern Buchanan (R-FL), and Oversight Subcommittee Ranking Member John Lewis (D-GA) today sent a letter to Internal Revenue Service (IRS) Commissioner John Koskinen requesting additional information regarding how the IRS identifies and addresses security risks for their online taxpayer tools and applications, including the recently suspended the Free Application for Federal Student Aid (FAFSA) Data Retrieval Tool (DRT). In the letter, the Members expressed concerns about the steps that the IRS takes to ensure that taxpayer information is adequately protected from breaches of its online tools and applications. The Members requested that the IRS provide them with detailed information on how it protects taxpayers using these online tools.

The Members wrote:

BACKGROUND:

The IRS’s online tools and applications such as Identity Protection Personal Identification Number (IP PIN), Get Transcript, and the online DRT used to assist those filling out the FAFSA have been subject to cyberattacks, at times resulting in the loss of taxpayer information.

As a result of these attacks, the IRS has been forced to temporarily suspend online tools or applications, often for extended periods of time, until a long-term security solution can be found. The DRT, which populated the online FAFSA application using tax information retrieved from the IRS, was taken offline in March 2017 after the IRS and Department of Education found evidence of potentially fraudulent activity. Although an IRS risk assessment from October 2016 suggested concerning vulnerabilities with the tool, it was not until five months later in March 2017 that the tool was taken offline. The IRS Commissioner recently testified before the Senate Finance Committee that this most recent cyberattack may have compromised the information of as many as 100,000 taxpayers. Both the Treasury Inspector General for Tax Administration and the Government Accountability Office have raised concerns in recent years about the adequacy of the IRS’s authentication measures for its online tools.

CLICK HERE to view the entire letter.

Full text of the letter sent to Commissioner Koskinen:

April 28, 2017

The Honorable John Koskinen
Commissioner
Internal Revenue Service
1111 Constitution Avenue, NW
Washington, DC 20224

Dear Commissioner Koskinen:

Thank you for your April 6th letter providing an update on the recent events surrounding the suspension of the Internal Revenue Service’s (IRS) Data Reporting Tool (DRT), which allows students and parents to access and transfer the tax return information needed to complete the Free Application of Federal Student Aid (FAFSA). This tool simplifies the process for those seeking federal student aid and ensures the accuracy of tax information used to make student aid decisions. While the temporary removal of this tool does not prevent applicants from completing their FAFSA form, it does put in place a significant barrier for those who do not have their previous tax returns readily available. Therefore, we still have a number of questions surrounding this latest incident, and we write today to request more information about this and other IRS online tools and applications.

The temporary removal of the DRT serves as the most recent example of a suspension of an IRS online tool or application due to cyberattacks seeking to gain access to taxpayer information. Similar events occurred with the Get Transcript and Identity Protection Personal Identification Numbers (IP PIN) applications, both of which were taken offline for significant periods of time and resulted in the loss of taxpayer information. In the case of the Get Transcript application, TIGTA determined that the process used to authenticate taxpayers did not meet National Institute of Standards and Technology standards, ultimately leading to the issuance of $490 million in potentially fraudulent tax refunds. In the case of the IP PIN application, the IRS did not sufficiently complete a required authentication risk assessment and repeatedly was warned by TIGTA that the application had significant security weaknesses that were not adequately addressed, which led to an eventual security breach.

In our current landscape, bad actors will always pose a cyber threat to federal systems, but the IRS must continue to focus on balancing the protection of taxpayer information with taxpayers’ rights to easily interface with the IRS, especially online. We remain deeply concerned that the IRS is not doing all that it can to assess properly and to prevent unauthorized access to taxpayer information, in particular through IRS online tools and applications. To assist the Committee in better understanding the IRS’s actions in this matter, please provide the following information:

Thank you in advance for your prompt response to this request. We ask that you provide this information to the Committee no later than Thursday, May 18, 2017.