Most Recent IRS International Hacking Reveals Vulnerability

According to national reports, hackers allegedly stole the personal data of approximately 100,000 taxpayers from the IRS’s computer system.  The most recent investigative report from CNN reveals the IRS believes the cyber-attack has links to Russia.  In the coming days, weeks and months, federal law enforcement will no doubt do everything it can to detect who is behind this alleged cybercrime and, if possible, to bring charges against those allegedly responsible.

As the IRS continues to combat stolen identity tax refund fraud, an epidemic that costs the Government more than $5 billion per year, the significance of this cyber-attack cannot be overstated: it is game-changing.  At a minimum, if the latest news coverage is accurate, it is crystal clear that international hackers successfully infiltrated the IRS’s computer system to steal legally-protected and extremely sensitive taxpayer information.  This information must inevitably threaten the IRS’s filters in place to detect fraudulent tax returns filed in the names of stolen identities.  After all, if the IRS is looking at a taxpayer’s prior tax returns, the hackers now have that information.

The IRS’s response: “We’re confident that these are not amateurs,” IRS Commissioner John Koskinen said.  “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

The IRS’s response is fair in some respects – cybercriminals have perpetrated attacks against large retail stores and small businesses.  But the difference between the IRS’s identity theft epidemic and the private sector is that no other private company or government agency continues to lose more than $5 billion year after year to the same crime.  That the IRS’s data security systems did not shield the agency – and taxpayers – from an international hack of this caliber is as frightening as it is reflective of the fact that the agency’s systems are simply vulnerable.  What Commissioner Koskinen should understand is that if a large bank were losing billions of dollars year after year to the same brand of fraud, the bank would do something about it to stop the bleeding.

Perhaps more than anything else, this cyber-attack reveals that stolen identity tax refund fraud is not a problem the Government can prosecute its way out of.  Resources are limited and the IRS should spend every last dime on making it harder to steal money from the Treasury by improving filters, enhancing its data security systems, and protecting taxpayers from becoming victims of identity theft – not on seeking long prison sentences for the less sophisticated identity thieves the Government can actually catch.  If resources are the issue, the IRS should ask Congress to reallocate funding to cyber-infrastructure improvements and retain a company like Google to help.

Ultimately, this may be an embarrassment to the IRS – but perhaps it can also be the beginning of improved technology, improved policies and procedures, and improved perspectives on how to combat the identity theft tax fraud epidemic.