The IRS failed to implement dozens of security upgrades to its computer systems, some of which could have made it more difficult for hackers to use an IRS website to steal tax information from 104,000 taxpayers, a government investigator told Congress Tuesday.
The agency's inspector general couldn't say whether the upgrades would have prevented the breach. But, he added, "I can say it would have been much more difficult had they implemented all of the recommendations that we made."
Each year, the Treasury inspector general for tax administration audits the IRS's security systems and recommends improvements. As of March, 44 of those upgrades had not been completed, said the inspector general, J. Russell George.
Ten of the recommendations were made more than three years ago.
In addition, the Government Accountability Office issued a report in March that identified more than 50 weaknesses in the IRS's computer security that had not been resolved. Until those weaknesses are fixed, "financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure," the GAO said.
George testified Tuesday before the Senate Finance Committee. He was joined by IRS Commissioner John Koskinen, who disputed George's claims that the upgrades would have helped deter the breach.
Koskinen said the information was stolen by thieves who already had personal information about the victims, including Social Security numbers, birth dates and addresses. The personal information was presumably stolen elsewhere, though neither George nor Koskinen could say where.
The thieves used the information to access an IRS website called "Get Transcript," where taxpayers can get tax returns and other tax filings from previous years. The IRS's main computer system, which taxpayers use to file their returns, was not breached, Koskinen said.
"We should do and will continue to implement their recommendations," Koskinen said of the IG's proposals. "But those recommendations did not go to this particular web access."
The IRS believes the information was stolen as part of an elaborate scheme to claim fraudulent tax refunds. George confirmed that at least some of the thieves were based in Russia, though he said some were in other countries, which he would not name.
Koskinen said the thieves are part of a sophisticated international syndicate.
"These are criminal syndicates that are not bound by geographic limits," Koskinen said. "They may be operating in one country but they're operating across country lines, and they're oftentimes operating in conjunction with each other or selling data back and forth to each other."
The revelation highlights the global reach of many cyber criminals. It could also complicate efforts to prosecute the offenders.
Koskinen said an increasing number of cyberattacks are coming from Eastern Europe and Asia. However, he said, foreign governments are often slow to help U.S. authorities.
"As a general matter we don't get a lot of cooperation," Koskinen said.
So far, the thieves have claimed about 13,000 refunds using information they stole from the website, Koskinen said. The refunds have totaled about $39 million.
The IRS is notifying taxpayers who had their information compromised, Koskinen said. Their files will be tagged so no one can use their information to claim a fraudulent tax refund in the future.
Koskinen said budget cuts have hampered the IRS's ability to upgrade its computer systems. Funding for cybersecurity has been cut by 20 percent since 2011, to $149 million this year.
Overall, the agency's funding has been cut by more than $1 billion since 2010, to $10.9 billion this year.
Congressional Republicans have targeted the IRS for funding cuts in part to hurt the agency's ability to implement President Barack Obama's health law. The IRS also became a target after officials acknowledged in 2013 that agents had singled out conservative political groups for extra scrutiny when they applied for tax-exempt status.
Koskinen said the IRS requested $600 million over the past two years for computer upgrades related to the health law, but Congress gave the agency nothing.
"So we had to take that money out of information technology expenditures," Koskinen said.
However, on Tuesday, Koskinen said he didn't want to blame budget cuts for the breach.
"Not every problem is a budget problem, so I don't want to wander around town every time we have a challenge saying, 'Ah, if we had more money, we'd fix it,'" Koskinen said. "This is a technology issue, not a budget (issue), but a question of security, a question of keeping up criminals in terms of authentication."