IRS didn’t remove contractors’ access to sensitive information

Hundreds of Internal Revenue Service employees and contractors continued to have access to at least one sensitive IRS computer system even after they stopped working there, according to a report.

The report, released last week by the Treasury Inspector General for Tax Administration, came in response to an investigation into the leak of tax returns from billionaires such as Donald Trump, Elon Musk, Jeff Bezos and others to news organizations like the New York Times and ProPublica in 2021. The leak was eventually traced to an outside contractor named Charles Littlejohn, who pleaded guilty last October and was sentenced last month to five years in prison. ProPublica reported in 2021 that it had “obtained a vast trove of Internal Revenue Service data on the tax returns of thousands of the nation’s wealthiest people, covering more than 15 years. The data provides an unprecedented look inside the financial lives of America’s titans, including Warren Buffett, Bill Gates, Rupert Murdoch and Mark Zuckerberg.” The chairman of Congress’s tax-writing House Ways and Means Committee, Rep. Jason Smith, R-Missouri, asked TIGTA last February to investigate the leak as well as evaluate how the IRS grants access to and safeguards federal tax information maintained on various sensitive computer systems. 

TIGTA found that users are granted access to sensitive systems via the Business Entitlement Access Request System (BEARS) application and that the process is the same for employees and contractors.  As of July 13, 2023, the evaluation identified a total of 91,661 users, of whom 5,068 were contractors, employed by 187 different companies, who were authorized to access one or more of the 276 sensitive systems. 

Procedures to systematically remove users who no longer required access to those systems weren’t always working correctly. TIGTA identified 279 users who were listed in BEARS as separated from the IRS who, as of July 13, 2023, continued to have access to at least one IRS sensitive system, even though they weren’t working for the IRS anymore. However, none of these users had access to the IRS network, reducing the risk they could access a sensitive system.

The IRS didn’t always remove contractor access to sensitive systems, even when the background investigations on contractors and employees were unfavorable. TIGTA found that 19 contractors’ most recent background investigations were not favorable as of July 13, 2023, but these contractors still retained their access to one or more sensitive systems because the IRS didn’t take action to suspend or disable the contractors from the IRS’s systems, as required. The IRS is now evaluating what steps it can take to improve its ability to protect the data on its sensitive systems. Those steps include identifying and recording user actions when accessing sensitive data and tracking authorized and unauthorized attempts of removal of sensitive data from its systems. One of the main initiatives involves a project to improve security on the IRS’s Compliance Data Warehouse in terms of user access and data export of federal tax information from certain IRS systems. But for some sensitive systems, the IRS lacks adequate controls to detect or prevent unauthorized removal of data by users. Some of the systems lack complete, accurate and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes. 

TIGTA made three recommendations in the report, such as ensuring that access to sensitive systems is immediately suspended when a contractor is identified as not having a favorable background investigation determination and making sure that user network and sensitive system access are removed for users who leave the IRS. The IRS agreed with all three recommendations. 

“During the past year, the IRS has strengthened our internal systems, protocols and procedures by implementing numerous improvements,” wrote Melanie Krause, acting deputy commissioner for operations and support at the IRS, in response to the report. “These include more robust data encryption, stronger 24/7 monitoring that improves insight into suspicious activity on the IRS network, and expanded audit trails that improve the surveillance of internal and external access to IRS sensitive systems. With critical investments made possible by multiyear Inflation Reduction Act funding, our cybersecurity modernization efforts have made important progress in these and other areas.”

Republicans on the House Ways and Means Committee want the IRS to do more to safeguard the systems, although they have also called for cuts in the Inflation Reduction Act funding.

“Alarm bells should have been set off at the IRS when it was discovered that an IRS contractor stole and leaked thousands of individuals’ tax returns, including President Trump’s,” Smith said in a statement Monday. “Instead, it looks like the agency has done very little in response. The IRS has absolutely no excuse for the failure to protect confidential taxpayer information. The IRS must prioritize safeguarding taxpayer information and put adequate controls in place to prevent leaks of sensitive taxpayer information from happening again.”

Rep. David Schweikert, R-Arizona, who chairs the House Ways and Means Oversight Subcommittee, believes the IRS needs to do more this tax season to reassure taxpayers who are worried about filing. 

“For the federal tax system to work, taxpayers must be confident that their private taxpayer information is safe and protected,” he said in a statement. “The IRS clearly failed to put in place adequate safety measures to prevent the leaking of thousands of individuals’ tax returns, and it appears the agency still hasn’t learned its lesson. The last thing taxpayers need is one more excuse not to file. Chairman Smith and I call upon the IRS to take immediate steps to protect confidential taxpayer information for the current tax-filing season and put the necessary guardrails in place to ensure private tax returns are never leaked again.”