Editorial: Fix IRS cyber breaches

The Detroit News

It could be a pleasant surprise to find out someone else has taken on the onerous task of filing your tax return for you. (The deadline, by the way, is Monday this year instead of today.) But the reality is tax identity theft is a rampant and growing problem, and one the Internal Revenue Service doesn’t seem anxious to fix.

Americans filing tax returns this year face the real risk of having their identities and tax refunds stolen due to antiquated and unprotected government systems.

Hackers have accessed tax data for more than 700,000 taxpayers since 2014 by hacking one of the agency’s online tools intended to let filers obtain copies of previous tax returns, according to a recent report by the U.S. Government Accountability Office. Hackers tried to access information for about 500,000 additional taxpayers, but couldn’t.

That report essentially found the IRS had systems and established controls in place to help prevent identity theft, but they were “inconsistently implemented.” That’s not overly surprising, given the agency’s poor handling of other sensitive information.

“These weaknesses — including both previously reported and newly identified — increase the risk that taxpayer and other sensitive information could be disclosed or modified without authorization,” the report says.

In its conclusion, the GAO says the financial and taxpayer information on IRS systems “will remain vulnerable” until the agency addresses weaknesses related to identification and authentication, and until it “effectively implements elements of its information security program.”

But that means that problems will persist certainly through this year’s tax season and until the notoriously slow IRS fixes these security breaches.

The Senate Finance Committee questioned the agency recently about its cyber defenses, and IRS Commissioner John Koskinen has acknowledged that his agency’s systems are attacked a million times a day.

He’s blamed dwindling resources and understaffing for the poor response. Koskinen claims the IRS could collect billions of dollars more than it already does it if had the right staffing.

Koskinen’s response to the GAO report was that he needed 60 days to assess whether the agency has the resources to address the concerns the report raised.

But even in an era of tight budgets, a high priority should be placed on the essential task of protecting critical information.

The agency received an extra $250 million this year for taxpayer services and cybersecurity. Taxpayers have a right to expect results from that money.

Compounding the problem is that if people suspect their identities have been stolen off IRS documents, getting through to the agency can be challenging, to say the least.

Last year, the IRS had a 38 percent answer rate for incoming calls. This year the agency claims a 70 percent rate, but that still means 30 percent of callers never get an answer.

Taxpayers are legally obliged to turn over sensitive information demanded on tax forms. The least the IRS could do is make sure it’s protected.