IRS lacks ‘adequate controls’ to protect sensitive taxpayer info from unauthorized access: IG report

A recent inspector general report found that, in some instances, the Internal Revenue Services lacks “adequate controls” to protect sensitive American taxpayer information from unauthorized access, Fox Business reported.

An investigation conducted by the Treasury Inspector General for Tax Administration found that some former IRS employees and contracts still had access to certain “sensitive systems.”

The inspector general launched the investigation after a former IRS contractor, Charles Littlejohn, leaked tax returns belonging to former President Donald Trump and “thousands of the nation’s wealthiest individuals.” Littlejohn was sentenced earlier this year to five years in prison after he admitted to stealing the tax information and providing it to media outlets, Blaze News previously reported.

According to the IG's report, the United States House Ways and Means Committee requested the investigation last year following the “massive leak of confidential tax information that the IRS is charged with keeping secure,” according to a letter from the committee’s chairman, Rep. Jason Smith (R) from Missouri.

In a statement, Smith said, “Alarm bells should have set off at the IRS when it was discovered that an IRS contractor stole and leaked thousands of individuals’ tax returns, including President Trump’s.”

“Instead, it looks like the agency has done very little in response. The IRS has absolutely no excuse for the failure to protect confidential taxpayer information,” he added.

The recent report explained, “Subsequent to receipt of the Chairman’s letter, TIGTA agreed to conduct an evaluation addressing how the IRS grants access to and safeguards Federal Tax Information maintained on its various information technology systems (i.e., sensitive systems).”

The IG noted that the “unauthorized access and disclosure of taxpayer information could undermine the taxpaying public’s trust in the Federal tax system to safeguard confidential tax information.”

The inspector general’s investigation found that the agency grants access through its Business Entitlement Access Request System. The process for employees and contractors is the same, it added.

The probe discovered that more than 91,000 users had access to one or more of its 276 sensitive systems as of July. Over 5,000 of those users were contractors.

“Procedures to systemically remove users who no longer require access to sensitive systems were not always working as intended. For example, TIGTA identified 279 users who were listed in BEARS as separated who, as of July 13, 2023, continued to have access to at least one IRS sensitive system. However, for each of these individuals IRS network access was removed, which according to the IRS, reduces, but does not eliminate, the risk that a user can access a sensitive system,” the report stated.

Additionally, when an employee’s or a contractor’s background check came back “not favorable” those individuals were “not always remove[d]," it found.

“Specifically, 19 contractors’ most recent background investigations were not favorable as of July 13, 2023. However, these contractors still retained their access to one or more sensitive systems because the IRS did not take action to suspend or disable the contractors from the IRS’s systems, as required,” the report continued.

The investigation noted that the IRS is taking steps to improve the security of its sensitive systems.

“However, for some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users,” the report stated.

As a result of the probe’s findings, the IG made three recommendations to the IRS, including immediately suspending users who receive not favorable background investigations and the “timely” removal of workers who separate from the agency.

While the IRS agreed to all of the IG's recommendations, it “disagreed” with the “characterization of the IRS’s ‘current security posture,’” the report read.

“The IRS disagreed with any inference that the 19 contractors TIGTA identified compromised sensitive information. All 19 contractors received prior favorable background investigations, and 15 contractors were reinstated after resubmitting their documentation. The remaining four contractors had their network access disabled and have been separated in the personnel system,” it added.

Additionally, the IRS stated that it “already takes steps to remove access when a contractor is identified as not having a favorable background determination.”

IRS Commissioner Daniel Werfel testified before the committee last week, claiming that the agency has “taken a bunch of actions” to protect sensitive taxpayer information.

The IRS did not respond to a request for comment from Fox Business.

Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!