Skip to main content

Taxpayer Information Keeps Ending Up In the Wrong Hands. What Can IRS Do To Better Protect It?

Posted on September 26, 2023

When you file your taxes each year, you expect IRS to keep your personal and financial information safe. This information includes things like your income, any loans you might have, where you live, Social Security number, and more. But recently, large leaks of sensitive taxpayer data have made headlines and have highlighted critical weaknesses in IRS’s ability to protect this information.

Today’s WatchBlog post looks at our new report on these weaknesses and what IRS needs to do better to protect taxpayers’ information. And check out our video to hear from GAO experts Jessica Lucas-Judy and Jennifer Franks on this issue:

It is important for IRS to share some taxpayer information, but can it do so safely?

IRS doesn’t just use taxpayer information to process tax returns and refunds. It also shares this information with other federal entities and contractors. For example, if you’ve ever applied for a federal student loan or a student loan repayment plan, a contractor (loan servicer) or the Department of Education may request access to your tax return on your behalf, which IRS shares.

While it’s important for IRS to share this data, in some cases, it lacks the authority to ensure that federal entities receiving your information are protecting it. In our new report, we asked Congress to give IRS the authority it needs to ensure information shared with other federal agencies is safeguarded. We also recommend that IRS make sure contractors complete training on safeguarding taxpayer information, including storing it safely.

Protecting taxpayer data from snoops and cyberattacks

In our new report, we also looked at two other key threats to the security of taxpayer data—unauthorized access and disclosure by IRS employees, and cyberthreats.

Unauthorized access. Taxpayers’ records—no matter who you are—are confidential. This includes celebrities and politicians. Still, sometimes we hear about unauthorized disclosures in the news.

In May 2022, we reported that IRS had investigated nearly 1,700 cases of unauthorized access by its employees between 2012 and 2021. Of these cases, about 27% were found to be in violation of IRS’s rules that employees only access records when required for their jobs. Learn more about unauthorized access by listening to our podcast with GAO’s Jessica Lucas-Judy and Jennifer Franks.

IRS has taken steps to prevent unauthorized access of taxpayer information by employees. For example, IRS now requires certain employees to seek senior executive approvals to gain access to taxpayer information.

IRS makes sure its employees are trained on how to protect taxpayer information, including preventing unauthorized access (meeting an agency-wide 97% completion goal for IRS employees).

However, IRS did not have a training goal for contractors, some of whom handle the same taxpayer information as IRS employees. IRS records showed more than a third of required information security training was missing for contractors in fiscal year 2021.

Image

Table showing examples of actions IRS has taken to better safeguard data--including limiting access.

 

Cyber threats. Many of the IT systems IRS uses to process tax returns and issue refunds and payments are old or outdated (25 years old or older), which leaves them vulnerable to cyberattacks. In January, IRS rolled out the release of a new internet platform that allows businesses to file taxes electronically. IRS is also piloting a program to allow individual taxpayers to file directly on IRS.gov in 2024.

But despite these IT updates, in our new report we found critical weaknesses in IRS’s efforts to protect its systems (new and old) from cyberthreats. For example, IRS is required to maintain an inventory of its systems that store taxpayer information. But we found this inventory was missing seven systems used to process tax data. If IRS does not know which systems house taxpayer information, it cannot ensure that proper protections are in place.

What more should IRS do to protect taxpayer information?

Security of taxpayer information is a longstanding issue. We first designated this topic as high risk in 1997. Since then, we’ve made hundreds of recommendations to improve how IRS manages and protects this information.

While IRS has taken some actions, our new report made 15 new recommendations to help IRS. These recommendations include actions that would improve the oversight and security of taxpayer information, as well as making sure those who can access taxpayer data complete training.

But some actions IRS can’t take on its own. As a result, we suggested that Congress provide IRS with additional authority to inspect federal agencies’ safeguards for taxpayer information.

Learn more about the security of taxpayer information in our new report.


GAO Contacts

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.