US taxpayer data went missing thanks to IRS carelessness, says report

An IRS warehouse in Tennessee holding taxpayer data did not know it was holding taxpayer data, found a new analysis by the Treasury Department.

In fact, the top official at the warehouse learned from the inspector that taxpayer information was being stored there.

"If appropriate officials are not aware that [personally identifiable information] has been transferred into a system that was not originally designed to protect PII, they cannot adequately protect that data or take steps to prioritize necessary resources to appropriately manage the system from a security and risk perspective,” reads the audit by the Treasury Inspector General for Tax Administration.

The government is already notoriously bad with cybersecurity, and the IRS, which directly handles taxpayers' personal information, in recent years has experienced various public scandals after poorly protecting that data.

This lax security puts people at a great risk of identity theft, especially since social security numbers are involved, which can ruin credit scores, careers, and just about any stability in your life.

Taxpayer information was moved to a new Memphis location dubbed the Cybersecurity Data Warehouse after scammers in 2015 exploited an IRS hole to successfully obtain the personal information of more than 350,000 taxpayers. But when the department tried fixing the problem, they only made it worse.

People's vulnerable (and some already compromised) information was then given even less security there and remained that way for years.

The report is littered with alarming subheads like "the security change management process was not properly followed," "key security documentation was not updated," and "an inventory of systems that transfer taxpayer data to the cybersecurity data warehouse was not maintained."

They respectively (and more plainly) mean that the IRS didn't follow the rules, the necessary security measures to protect taxpayer data in its new home was nonexistent, and the IRS does not know what parties/systems touched taxpayer data.

The audit was conducted by the Treasury Inspector General for Tax Administration, an independent organization that checks the IRS. It gave four main recommendations, which the IRS did not fully agree to implement — it refused to hold employees accountable for their actions and did not agree to conduct a risk assessment of the data's new home.

They now, however, have bolstered physical security measures at the Memphis warehouse and control which employees could access this data.

It is unclear how many people's data was moved there and whether any data was breeched during these years of vulnerability.

The IRS did not respond to a request for comment at the time of publication.