TIGTA Faults IRS for Keeping IP PIN Program Open After It Was Hacked

Chris Gaetano
Published Date:
Mar 28, 2017

The Treasury Inspector General for Tax Administration (TIGTA) faulted the IRS in a recent report for keeping its IP PIN (Identity Protection PIN) program open even after a security breach had been identified. 

The IP PIN program was developed to serve as an extra layer of authentication for previous victims of identity theft, allowing returns and refunds to be processed without delay. The program was, itself, instituted in response to a massive data breach the previous year that compromised the personal information of hundreds of thousands of taxpayers. Then, in an irony worthy of Sophocles, the IP PIN program was, itself, hacked, eventually leading to the service to temporarily shut down the program in March 2016. 

TIGTA, however, noted that the IP PIN security breach had already been identified nearly a year ago, on May 17, 2015. Since that time, TIGTA said it had repeatedly recommended that the IRS shut the program down until it could implement better authentication processes to protect taxpayers. Instead of deactivating the program, however, the IRS said it would develop further mitigation strategies. However, TIGTA said that some of these strategies failed to protect taxpayers.

For instance, while returns with IP PINs were meant to be reviewed manually, TIGTA estimates that 36.8 percent of such returns were not. The report said that IRS management was not certain of the reason in all cases, but did state that some of these tax returns were not manually reviewed because system programming was not completed at the beginning of the 2016 Filing Season and because the IRS had insufficient staffing during the weekends to review tax returns received during the weekends. Despite issues like this, though, the IRS chose to keep the program open. 

"To quantify the potential effect of the IRS not immediately deactivating the IP PIN application, we analyzed Tax Year 2015 filed tax returns with an IP PIN obtained from the online application. Our review identified that 23,991 (24 percent) of the 100,463 tax returns with refunds claimed totaling $26 million are potentially fraudulent. For each of these tax returns, the IRS did not receive a Form W-2, Wage and Tax Statement, supporting the income and withholding reported on the tax return," said TIGTA. 

TIGTA recommended that the IRS ensure that an authentication risk assessment is completed and documented subsequent to all future system security breaches to an online application, that all functions have consistent procedures for adding identity theft markers that create an IP PIN, that accurate information is provided to taxpayers on IRS notices, that processes are developed to identify taxpayers in locations with the highest per-capita rate of identity theft, and that an outreach strategy is developed to increase taxpayer awareness of the program, now that it has been reactivated with improved authentication controls. 

The IRS agreed with four recommendations but did not agree that processes need developing to identify taxpayers in locations with the highest per capita rate of identity theft. TIGTA stated that this decision is contrary to the intent of the Opt-In Program, which is to focus on taxpayers in States and locations with the highest per capita rate of identity theft.

Click here to see more of the latest news from the NYSSCPA.