19 contractors had access to the IRS’s sensitive systems despite failing background checks.
The Internal Revenue System (IRS) has lax protections for sensitive tax data stored on its networks and even provides system access to people who no longer work with the agency, according to a report by IRS watchdog Treasury Department Inspector General for Tax Administration (TIGTA).
TIGTA found that 279 out of 91,661 users it reviewed had access to the IRS’s sensitive systems as of July 2023 despite no longer being employed by the agency. Users include both employees and contractors. In addition, 19 contractors had access to sensitive systems despite failing background checks.
Moreover, the IRS was found not to have “adequate controls to detect or prevent the unauthorized removal of data by users” from some of its sensitive networks. A deficiency in the agency’s detection and deterrence processes resulted in the sensitive systems not being able to provide “complete, accurate, and usable” audit trail logs for monitoring and identifying unauthorized access.
To make matters worse, the IRS struggled to identify its sensitive systems, the report stated. “Management officials indicated that they did not have complete and reliable information that identifies all sensitive systems.”
This sets up “the potential for a repeat of the massive, illegal leak of tax returns like that carried out by Charles Littlejohn to The New York Times and ProPublica.”
Late last month, he was sentenced to five years in prison. His crime was the “biggest heist” in the history of the IRS, U.S. District Judge Ana Reyes said at the time. “It cannot be open season on our elected officials.” The judge noted that Mr. Littlejohn had purposefully sought the job in part to leak the tax info.
Commenting on the TIGTA report, Ways and Means Committee Chairman Mr. Smith said that “alarm bells should have set off at the IRS when it was discovered that an IRS contractor stole and leaked thousands of individuals’ tax returns, including President Trump’s,” referencing the leak by Mr. Littlejohn.
“Instead, it looks like the agency has done very little in response. The IRS has absolutely no excuse for the failure to protect confidential taxpayer information. The IRS must prioritize safeguarding taxpayer information and put adequate controls in place to prevent leaks of sensitive taxpayer information from happening again.”
The report comes days ahead of IRS commissioner Daniel Werfel’s hearing with the Ways and Means Committee scheduled on Feb. 15.
Employees and contractors are granted access to sensitive systems by the IRS through its Business Entitlement Access Request System (BEARS). TIGTA reviewed 91,661 users, including 86,593 employees and 5,068 contractors, who had to access one or more of the 276 sensitive systems.
Of the 86,593 employees, 277 were “separated” from the IRS as of July 13, 2023, but still had access to sensitive systems. Among the 5,068 contractors, two were separated but still maintained access. In total, 279 “separated” users thus had access to the IRS’s sensitive systems.
To gain access to a sensitive system a user must be granted both “sensitive system access” and “network access.” A “network access” gives the user the ability to log into the IRS network. A “sensitive system access” gives the user the ability to log into a specific sensitive system located within the IRS network.
The tax agency claimed that for each of these users, their access to the IRS networks was removed. However, the agency admitted that network removal only reduces the risk of a user accessing a sensitive system. It does not eliminate such a risk.
In response to inquiries about why these users continued to have access to sensitive systems, the IRS said that “the automated process to remove network and sensitive system access once an employee or contractor separates did not seem to work correctly for these individuals,” the report stated.
According to IRS regulations, newly onboarded employees undergo a prescreening test and are then given access to sensitive systems. They also undergo a background check that is completed within their first year of service.
In the case of contractors, access is only granted once the background check is completed with a favorable determination. TIGTA found that even though 19 out of 5,068 contractors’ background checks were not favorable, they still had access to sensitive systems and networks.
The IRS told TIGTA that these contractors’ respective Contracting Officer’s Representatives did not take the action to suspend or disable contractors from the system as is necessary when they fail background checks.
By November 2023, network access was disabled for eight out of the 19 contractors. The remaining 11 received a favorable determination in their background checks, thus validating access to sensitive systems.
“However, the fact remains that the IRS should have suspended or disabled these contractors’ access until a favorable determination was on file,” TIGTA said in the report.