IRS Hack Tied to Russians, Occurred Despite Warnings of Safety Risks

In this March 22, 2103 file photo, the exterior of the Internal Revenue Service (IRS) building is seen in Washington.
AP/Susan Walsh
Washington D.C.

The IRS had been warned of vulnerabilities in their computer system long before the taxing agency admitted this week that it had been hacked and may have lost the data of up to 100,000 American taxpayers.

The IRS said this week that it believes that the hack originated somewhere in Russia and that the stolen information was used to file some $50 million in false tax returns. The agency refused to speak on the matter further, claiming it doesn’t discuss ongoing investigations.

The massive loss of data didn’t just occur this week. The IRS reported that the breach occurred between February and May of this year. The agency also plans to alert the 100,000 taxpayers whose information was stolen.

The hack itself came through one of the IRS’s own online services.

The government reports that hackers used the “Get Transcript” system, a service where taxpayers can get past tax returns and other filings. The IRS said thieves cleared a security screen that required knowledge about the taxpayer, including their Social Security number, date of birth, tax filing status, and street address.

However, this situation should be no surprise at all because federal audits and other reports going back all the way to 2007 have repeatedly warned that the IRS computer system is vulnerable to attacks just like those announced this week.

In fact, a report from October of 2014 noted that “Computer security has been problematic for the IRS since 1997.”

Further, the security risks to the IRS computer systems have been marked as a top problem for the agency in every Treasury Inspector General for Tax Administration since 2004.

In another case, the US Government Accountability Office warned that weaknesses remain in the IRS computer systems “that could affect the confidentiality, integrity and availability of financial and sensitive taxpayer data.”

For its part, the IRS has repeatedly acknowledged the security problems but has only made attempts to correct the vulnerabilities in fits and starts. Few of the agency’s efforts have gone far enough to satisfy auditors and investigators.

Shockingly, in at least one case, a company awarded a contract to work with IRS systems and taxpayer information was never required to give its employees background checks.

Follow Warner Todd Huston on Twitter @warnerthuston, or email the author at