IRS ignored recommendation to deactivate hacked IP PIN program

The Internal Revenue Service failed to deactivate its Identity Protection Personal Identification Number program after a data breach in May 2015 for nearly a year, despite repeated recommendations from the Treasury Inspector General for Tax Administration, according to a new report.

The report, from TIGTA, said the IRS instead allowed the IP PIN application to stay up and running, although the IRS did try to lower the risk of fraudulent tax returns being filed with IP PINs during the 2016 filing season. The IRS planned to manually review any tax returns filed with an IP PIN that was viewed online via the application. However, TIGTA found that over one-third of the IP PINs were not reviewed. TIGTA found that 12,020 of the 32,623 tax returns filed between January 19 and May 24, 2016 with an IP PIN that was viewed online were not manually reviewed.

An IP PIN is a six-digit number that the IRS gives to taxpayers, particularly those who have been the victims of identity theft, to enable their tax returns and refunds to be processed and helps prevent thieves from stealing their Social Security Numbers to file fraudulent tax returns. Some taxpayers can get an IP PIN to avoid becoming a victim of identity theft. IP PINs are sometimes given out through an opt-in program aimed at taxpayers in states and locations with the highest per capita rate of identity theft.

The IRS ultimately suspended the IP PIN service in March 2016 in the midst of tax season after discovering a data breach (see IRS suspends IP PIN service for identity theft victims). It restored the service last July with extra security features to authenticate taxpayers’ identities (see IRS restores IP PIN tool with improved authentication). The IRS similarly needed to beef up the security on its Get Transcript app last year after a data breach in 2015 (see IRS relaunches ‘Get Transcript’ app with better authentication). This month, the IRS needed to take down a student loan app on its site after security concerns emerged that it could be accessed by identity thieves (see IRS student loan link goes dark).

Andrew Harrer/Bloomberg

The report released Monday by TIGTA found the IRS did not always consistently update taxpayer accounts to ensure IP PINs were generated for taxpayers as required. The IRS also failed to generate an IP PIN for more than 2 million taxpayers for whom the IRS resolved an identity theft case. On top of that, the IP PIN notice continues to contain inaccurate information, the report noted. The IRS also has not updated its identification of locations that may now have the highest per capita rate based on identity theft complaints.

“As identity theft continues to represent one of the most serious ongoing threats to the federal system of tax administration, the IRS must do everything in its power to aid victims of this crime,” said TIGTA Inspector General J. Russell George in a statement. “I am pleased that the IRS has agreed with TIGTA’s concerns and has developed a plan to implement our recommendations.”

TIGTA offered five recommendations in the report. In response, the IRS said it shared TIGTA’s concerns and has developed mitigation strategies to address potential vulnerabilities.

“While the IP PIN has been an effective tool for protecting taxpayers from subsequent tax-related IDT refund fraud, it is not a holistic or sustainable solution that can be applied to the more than 150 million returns that are filed annually each year,” wrote Kenneth C. Corbin, commissioner of the IRS’s Wage and Investment Division, in response to the report. “As such, the IRS continues to explore less burdensome and more nimble, adaptive and cost effective ways to verify the identity of filers at the time tax returns are submitted.”