The Internal Revenue Service needs to beef up its data security by improving how it authenticates taxpayer identities, according to a report by an in-house watchdog.
The agency has a goal of providing taxpayers with access to online accounts that allow them to see recent payments, make minor changes to their accounts in real-time and communicate digitally with the IRS, the Treasury Inspector General for Tax Administration (TIGTA) said.
“It is critical that the methods the IRS uses to authenticate individuals’ identities ensure that tax information and services are provided only to individuals who are entitled to receive them,” Treasury Inspector General J. Russell George said in a news release.
But the report says the level of authentication the IRS uses is inconsistent across services. While it has established two groups that focus on taxpayer authentication, neither of them provides for cross-functional management, oversight, and continued evaluation of the IRS’s existing authentication processes, TIGTA said.
Moreover, authentication methods used for current online services do not comply with the government’s information security standards requiring multi-factor authentication for such high-risk applications. As a result, “unscrupulous individuals” have gained unauthorized access to tax account information.
The Government Accountability Office reported earlier this year that the IRS has made some progress in enhancing the security of its computer systems but financial and taxpayer data remain “unnecessarily vulnerable” to fraudsters and hackers.
In May, the agency disclosed that hackers accessed the personal tax data of more than 100,000 taxpayers in an effort to claim fraudulent refunds.
TIGTA said a consistent approach to authentication is vital due to the increasing number of data breaches in the private and public sectors.
The IRS agreed to implement TIGTA’s recommendations, which include developing a service-wide strategy to establish consistent oversight of all authentication needs and ensuring that authentication processes meet the government’s information security standards.