IG: IRS failed to upgrade security ahead of cyberattack

WASHINGTON — The IRS failed to implement dozens of security upgrades to its computer systems, some of which could have made it more difficult for hackers to use an IRS website to steal tax information from 104,000 taxpayers, a government investigator told Congress Tuesday.

The agency’s inspector general couldn’t say whether the upgrades would have prevented the breach. But, he added, “I can say it would have been much more difficult had they implemented all of the recommendations that we made.”

Each year, the Treasury inspector general for tax administration audits the IRS’s security systems and recommends improvements. As of March, 44 of those upgrades had not been completed, said the inspector general, J. Russell George.

Ten of the recommendations were made more than three years ago.

In addition, the Government Accountability Office issued a report in March that identified more than 50 weaknesses in the IRS’s computer security that had not been resolved. Until those weaknesses are fixed, “financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure,” the GAO said.

George testified Tuesday before the Senate Finance Committee. He was joined by IRS Commissioner John Koskinen, who disputed George’s claims that the upgrades would have helped deter the breach.

Koskinen said the information was stolen by thieves who already had personal information about the victims, including Social Security numbers, birth dates and addresses. The personal information was presumably stolen elsewhere, though neither George nor Koskinen could say where.

The thieves used the information to access an IRS website called “Get Transcript,” where taxpayers can get tax returns and other tax filings from previous years. The IRS’s main computer system, which taxpayers use to file their returns, was not breached, Koskinen said.

“We should do and will continue to implement their recommendations,” Koskinen said of the IG’s proposals. “But those recommendations did not go to this particular web access.”

The IRS believes the information was stolen as part of an elaborate scheme to claim fraudulent tax refunds. George confirmed that at least some of the thieves were based in Russia, though he said some were in other countries, which he would not name.

Koskinen said the thieves are part of a sophisticated international syndicate.

“These are criminal syndicates that are not bound by geographic limits,” Koskinen said. “They may be operating in one country but they’re operating across country lines, and they’re oftentimes operating in conjunction with each other or selling data back and forth to each other.”

The revelation highlights the global reach of many cyber criminals. It could also complicate efforts to prosecute the offenders.

Koskinen said an increasing number of cyberattacks are coming from Eastern Europe and Asia. However, he said, foreign governments are often slow to help U.S. authorities.

“As a general matter we don’t get a lot of cooperation,” Koskinen said.

So far, the thieves have claimed about 13,000 refunds using information they stole from the website, Koskinen said. The refunds have totaled about $39 million.

The IRS is notifying taxpayers who had their information compromised, Koskinen said. Their files will be tagged so no one can use their information to claim a fraudulent tax refund in the future.

Koskinen said budget cuts have hampered the IRS’s ability to upgrade its computer systems. Funding for cybersecurity has been cut by 20 percent since 2011, to $149 million this year.

Overall, the agency’s funding has been cut by more than $1 billion since 2010, to $10.9 billion this year.

Congressional Republicans have targeted the IRS for funding cuts in part to hurt the agency’s ability to implement President Barack Obama’s health law. The IRS also became a target after officials acknowledged in 2013 that agents had singled out conservative political groups for extra scrutiny when they applied for tax-exempt status.

Koskinen said the IRS requested $600 million over the past two years for computer upgrades related to the health law, but Congress gave the agency nothing.

“So we had to take that money out of information technology expenditures,” Koskinen said.

However, on Tuesday, Koskinen said he didn’t want to blame budget cuts for the breach.

“Not every problem is a budget problem, so I don’t want to wander around town every time we have a challenge saying, ‘Ah, if we had more money, we’d fix it,”’ Koskinen said. “This is a technology issue, not a budget (issue), but a question of security, a question of keeping up criminals in terms of authentication.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Olivia Vanni / The Herald The Mukilteo Lighthouse. Built in 1906, it’s one of the most iconic landmarks in Snohomish County. The Mukilteo Lighthouse. Built in 1906, it’s one of the most iconic landmarks in Snohomish County. (Olivia Vanni / The Herald)
Mukilteo mayor vetoes council-approved sales tax

The tax would have helped pay for transportation infrastructure, but was also set to give Mukilteo the highest sales tax rate in the state.

South County Fire plans push-in ceremony for newest fire engine

Anybody who attends will have the opportunity to help push the engine into the station.

Marysville Mayor Jon Nehring gives the state of the city address at the Marysville Civic Center on Wednesday, Jan. 31, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Marysville council approves interim middle housing law

The council passed the regulations to prevent a state model code from taking effect by default. It expects to approve final rules by October.

x
State audit takes issue with Edmonds COVID grant monitoring

The audit report covered 2023 and is the third since 2020 that found similar issues with COVID-19 recovery grant documentation.

Bothell
Bothell man pleads guilty to sexual abuse of Marysville middle schoolers

The man allegedly sexually assaulted three students in exchange for vapes and edibles in 2022. His sentencing is set for Aug. 29.

Larsen talks proposed Medicaid cuts during Compass Health stop in Everett

Compass Health plans to open its new behavioral health center in August. Nearly all of the nonprofit’s patients rely on Medicaid.

Community members gather for the dedication of the Oso Landslide Memorial following the ten-year remembrance of the slide on Friday, March 22, 2024, at the Oso Landslide Memorial in Oso, Washington. (Ryan Berry / The Herald)
The Daily Herald garners 6 awards from regional journalism competition

The awards recognize the best in journalism from media outlets across Alaska, Idaho, Montana, Oregon and Washington.

on Monday, July 14, 2025 in Edmonds, Washington. (Olivia Vanni / The Herald)
Mini heat wave moving into Snohomish County

The National Weather Service has issued a heat advisory, warning of temperatures climbing to mid-80s or low 90s Tuesday and Wednesday.

Snohomish County Dahlia Society members Doug Symonds and Alysia Obina on Monday, March 3, 2025 in Lake Stevens, Washington. (Olivia Vanni / The Herald)
How to grow for show: 10 tips for prize-winning dahlias

Snohomish County Dahlia Society members share how they tend to their gardens for the best blooms.

State Attorney General Nick Brown's office posted a release announcing $720 million in nationwide settlements with eight drugmakers that manufactured opioid pills and worsened the nationwide opioid crisis. The state could receive more than $16 million, the release said. (Ryan Berry/Washington State Standard)
Snohomish County to receive portion of latest $16M opioid settlement

While the amount of money is still unknown, funding plans are already in place to help with drug abuse prevention, treatment and education.

District 2 candidates differ in public safety approach

Incumbent Paula Rhyne is facing challenger Ryan Crowther. The third candidate, Jonathan Shapiro, is no longer seeking the seat.

From left to right, Edmonds City Council Position 3 candidates Joseph Ademofe, Alex Newman and Erika Barnett.
Amid budget crisis, Edmonds City Council candidates talk revenue, affordability

Three newcomers are facing off for Position 3 on the council, currently held by council President Neil Tibbott.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.