Taxpayers’ Personal Information at Risk of IRS Malfeasance, Treasury Department Warns
Any rogue IRS employee or contractor could, potentially, access one or more taxpayers’ personal information and use it to harm the public.
And if that happens then IRS leadership might never know.
This, according to an audit that the Treasury Inspector General for Tax Administration (TIGTA) published late last month.
“The Internal Revenue Service (IRS) collects, processes, and stores large amounts of taxpayer information. IRS employees and contractors can pose a substantial risk due to their knowledge of and legitimate access to IRS systems, which could be leveraged for illegal and nefarious purposes,” according to the audit.
“The potential harm can include damage through espionage, terrorism, unauthorized disclosure of taxpayer information, or loss or degradation of system functionality.”
After a leak of classified material by a U.S. Army intelligence analyst in 2010, federal officials directed that all agencies that operate or access classified computer networks designate a senior official to safeguard classified information. That same senior official, the audit went on to say, must establish an insider threat detection program within his or her respective agency.
IRS officials implemented such a system in 2016. They later named it the User Behavior Analytics Capability (UBAC) “to detect and mitigate risks to data and systems arising from insider threats.”
TIGTA auditors said IRS staff have made “substantial progress” implementing the system, but improvements are needed.
Among the findings:
• The IRS did not have a complete inventory of systems to monitor for its UBAC capability.
• The IRS was initially unable to provide an accurate number of systems that had Federal Tax Information and Personally Identifiable Information.
• UBAC did not do a good enough job documenting insider threat risks associated with high-value assets.
Auditors also said UBAC analytics did not document various risk indicators for who within the agency might pose an insider threat. Those risk indicators include IRS employees who, among other things, show aggressive outbursts at work, seem disgruntled, receive corrective action, or commit sexual harassment.
“Consequently, the IRS may be unable to identify insider threat activity that may negatively affect the confidentiality, integrity, or availability of the IRS’s information or information systems,” the audit said.
“An effective insider threat capability is vital to protect taxpayer information and IRS operations.”
Send story tips and other story suggestions to [email protected]