[Senate Hearing 114-322] [From the U.S. Government Publishing Office] S. Hrg. 114-322 INTERNAL REVENUE SERVICE DATA THEFT AFFECTING TAXPAYER INFORMATION ======================================================================= HEARING before the COMMITTEE ON FINANCE UNITED STATES SENATE ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION __________ JUNE 2, 2015 __________ [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Finance ______ U.S. GOVERNMENT PUBLISHING OFFICE 20-598-PDF WASHINGTON : 2016 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON FINANCE ORRIN G. HATCH, Utah, Chairman CHUCK GRASSLEY, Iowa RON WYDEN, Oregon MIKE CRAPO, Idaho CHARLES E. SCHUMER, New York PAT ROBERTS, Kansas DEBBIE STABENOW, Michigan MICHAEL B. ENZI, Wyoming MARIA CANTWELL, Washington JOHN CORNYN, Texas BILL NELSON, Florida JOHN THUNE, South Dakota ROBERT MENENDEZ, New Jersey RICHARD BURR, North Carolina THOMAS R. CARPER, Delaware JOHNNY ISAKSON, Georgia BENJAMIN L. CARDIN, Maryland ROB PORTMAN, Ohio SHERROD BROWN, Ohio PATRICK J. TOOMEY, Pennsylvania MICHAEL F. BENNET, Colorado DANIEL COATS, Indiana ROBERT P. CASEY, Jr., Pennsylvania DEAN HELLER, Nevada MARK R. WARNER, Virginia TIM SCOTT, South Carolina Chris Campbell, Staff Director Joshua Sheinkman, Democratic Staff Director (ii) C O N T E N T S ---------- OPENING STATEMENTS Page Hatch, Hon. Orrin G., a U.S. Senator from Utah, chairman, Committee on Finance........................................... 1 Wyden, Hon. Ron, a U.S. Senator from Oregon...................... 3 WITNESSES Koskinen, Hon. John A., Commissioner, Internal Revenue Service, Washington, DC................................................. 5 George, Hon. J. Russell, Treasury Inspector General for Tax Administration, Department of the Treasury, Washington, DC..... 7 ALPHABETICAL LISTING AND APPENDIX MATERIAL George, Hon. J. Russell: Testimony.................................................... 7 Prepared statement........................................... 37 Responses to questions from committee members................ 42 Hatch, Hon. Orrin G.: Opening statement............................................ 1 Prepared statement........................................... 44 Koskinen, Hon. John A.: Testimony.................................................... 5 Prepared statement........................................... 46 Responses to questions from committee members................ 49 Roberts, Hon. Pat: ``I.R.S. Data Breach May Be Sign of More Personalized Schemes,'' by Patricia Cohen, New York Times, May 28, 2015. 63 Wyden, Hon. Ron: Opening statement............................................ 3 Prepared statement........................................... 65 (iii) INTERNAL REVENUE SERVICE DATA THEFT AFFECTING TAXPAYER INFORMATION ---------- TUESDAY, JUNE 2, 2015 U.S. Senate, Committee on Finance, Washington, DC. The hearing was convened, pursuant to notice, at 10 a.m., in room SD-215, Dirksen Senate Office Building, Hon. Orrin G. Hatch (chairman of the committee) presiding. Present: Senators Grassley, Crapo, Roberts, Enzi, Cornyn, Thune, Isakson, Heller, Scott, Wyden, Stabenow, Nelson, Carper, Cardin, Bennet, and Casey. Also present: Republican Staff: Chris Campbell, Staff Director; Kimberly Brandt, Chief Healthcare Investigative Counsel; Chris Armstrong, Deputy Chief Oversight Counsel; and Justin Coon; Detailee. Democratic Staff: Adam Carasso, Senior Tax and Economic Advisor; Dave Berick, Chief Investigator; Michael Evans, General Counsel; Daniel Goshorn, Investigative Counsel; and Joshua Sheinkman, Staff Director. OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM UTAH, CHAIRMAN, COMMITTEE ON FINANCE The Chairman. The committee will come to order. Our hearing today concerns recent revelations that the Internal Revenue Service was the target of an organized service breach aimed at roughly 200,000 taxpayer accounts. We understand that over 100,000 of these breaches were successful, with cyber-criminals obtaining confidential taxpayer information from the agency's Get Transcript application. In dealing with this breach here in the Senate, this committee stands alone, having legislative jurisdiction over the Internal Revenue Code, oversight jurisdiction over the IRS, and wide-ranging abilities to conduct investigations dealing with individual taxpayer information. While I have raised questions in the past about the way the IRS prioritizes its spending, today's hearing is about finding out how criminals stole vast amounts of taxpayer information. Any questions regarding funding levels for the agency should wait until we have a complete understanding about what occurred. Before we turn to the technological issues, let us focus for a moment on the victims. Because of this breach, criminals were able to get personal information about roughly 104,000 taxpayers, potentially including Social Security Numbers, bank account numbers, and other sensitive information. These taxpayers, and their families, must now begin the long and difficult process of repairing their reputations. And they must do so with the knowledge that the thieves who stole their data will likely try to use it to perpetrate further fraud against them. Commissioner Koskinen, put simply, your agency has failed these taxpayers. This hearing is of utmost importance as we work to find out what individuals and organizations were behind this breach; discover how this breach occurred and what steps the IRS might have taken to prevent it; find out what taxpayer information was compromised and how this may affect both taxpayers and tax administration going forward; and determine what tools and resources are necessary to better protect taxpayers, catch cyber-criminals, and prevent this type of breach from being successful in the future. Most of all, we must pledge to work together to make sure that this type of breach does not happen again. The secure movement of information is the lifeblood of international commerce and a necessary predicate for efficient government administration. Unfortunately, this information is also highly valuable to criminals. We see it in the headlines nearly every week: a major insurance company, bank, or retailer has its information security compromised, and personal information or corporate data is stolen. Federal departments, especially defense-related agencies, come under attack each and every day. The IRS is not, and will never be, exempted from this constant threat. In fact, there is reason to believe the IRS will be more frequently targeted in the future. After all, the IRS stores highly sensitive information on each and every American taxpayer, from individual taxpayers to large organizations, and from mom-and-pop businesses to multinational corporations. The challenge of data security matters a great deal to every single taxpayer and will continue to be a central challenge to tax administration in the coming years. Of course, data security and the protection of taxpayer information are of the highest importance in the prevention of stolen identity refund fraud. Identity theft, and the resulting tax fraud, costs taxpayers billions of dollars every year, and, once it occurs, it can take months or years for a taxpayer to mitigate the damage. It was out of concern over stolen identity refund fraud that Ranking Member Wyden and I quietly launched an investigation earlier this year, requesting information and documents from the country's largest tax return preparers and debit card companies. We look forward to working with the IRS as we move forward with this investigation and consider policy changes. We also look forward to hearing the report from your preparer working groups, and the committee looks forward to weighing in on those matters in the near future. So I welcome our witnesses today, IRS Commissioner Koskinen and Inspector General George. Commissioner Koskinen, earlier this year, when I first welcomed you before the committee as chairman, I noted that I hoped it would be the beginning of a new chapter in the long, historic relationship between the Internal Revenue Service and the Senate Finance Committee. I said that because the issues before us are too great for that relationship to be anything but open, honest, and productive. Today's topic is a great example of why that relationship is so important. Cyber-threats will only continue to grow, and those types of threats go to the core of our voluntary tax system. We must work together to figure out what really has happened, what went wrong in allowing the breach to occur, and how we can prevent another successful attack from taking place in the future. Finally, I would like to acknowledge that today's hearing occurs during somewhat unusual circumstances. The issue before us is the subject of several recently opened investigations, including a criminal investigation conducted by TIGTA. I caution members of the committee to be sensitive to these investigations when asking questions of the witnesses and be aware that they may not be able to provide full answers to every question in this public forum. In spite of these limitations, it is important to discuss this matter today as fully and candidly as possible. [The prepared statement of Chairman Hatch appears in the appendix.] The Chairman. With that, I would like to turn to Senator Wyden for his opening remarks. OPENING STATEMENT OF HON. RON WYDEN, A U.S. SENATOR FROM OREGON Senator Wyden. Thank you very much, Mr. Chairman. Mr. Chairman, I look forward to working with you and all our colleagues on what is another important and bipartisan concern for this committee. Three months ago, the Finance Committee met in a hearing on the latest ID thefts and other scams plaguing taxpayers, and I said then that that wave of attacks sure looks to me like organized crime. Today, we meet after 104,000 tax returns have been hoovered up by what appears to be a sophisticated organized crime syndicate. The problem continues to spiral, with hackers targeting Federal agencies, State governments including my own, and private companies alike, to steal money and data. One report from the Department of Homeland Security said Federal agencies' computer systems come under attack hundreds of times a day, tens of thousands of times a year. The investigation of the stolen tax returns is ongoing as of this morning. But once again, it seems that the thieves are a step ahead of the authorities. They gained access to enormous amounts of personal data, which is up for purchase at extraordinary cost in the Internet's shadowy corners. These rip-off artists used that data to slip past the security filters at the IRS and steal taxpayers' most sensitive financial information. So it is my view that it is fair to say once again that this conduct fits the definition of ``organized crime.'' The thieves who steal taxpayer information could wipe out people's life savings and leave them in financial ruin. They could falsify tax returns next year or further down the road. They could take out huge, fraudulent home or student loans. And on a bigger scale, the money stolen in this cyber-crime wave could be funneled into yet more criminal activity. It could wind up in war zones. There is a possibility it could be used to fund acts of terror without being traced. Just like when the White House and the Department of Defense were targeted in the past, this was an attack on the security of Americans. I will be very direct about what is needed here. To protect taxpayers from this onslaught of cyber- crime, the IRS needs a 21st-century IT system. Now, this is not just a question of resources, and it is certainly not a lack of commitment from the IRS staff. It is also a question of expertise. The era of punch cards and paper forms ended long ago. Federal agencies like the IRS need to tap into the expertise of our leading technology firms, our leading web firms--the pros who serve not millions or tens of millions but hundreds of millions of users. This expertise will allow the IRS to avoid the pitfalls of the past and to implement a 21st-century IT system that protects taxpayers' privacy, catches the hackers and the cheats, and funds our government as efficiently as possible. When that system is in place, the Congress has to step up and provide the funds necessary to manage those functions effectively. Legislators would not call for the Department of Defense or White House security budgets to be slashed after cyber-attacks, but the IRS's security funding has been shrinking for years. No company would try to defend against modern cyber-criminals with technology that is 20 or 30 years old, but that is what the IRS is stuck using in the absence of the expertise and resources to serve the American taxpayer. The Congress must also make sure that the IRS has the information it needs to mount the strongest possible fight against the fraudsters. If the IRS had access to the data on W- 2 and 1099 forms from the beginning of tax season, it would be much easier to catch fraudulent returns early and save taxpayers the nightmare of a stolen refund. Chairman Hatch and I have developed a bipartisan proposal to add an extra level of security by expanding the program that distributes unique passwords for individual taxpayers to use when they file. And when the taxpayer does become a victim of fraud, they ought to get more help undoing the damage more quickly and restoring their credit. It ought to be clear to all that beefing up cyber-security at the IRS ought to be a top priority and draw on the technology expertise that exists in my home State and in States across the land. It is my hope that our hearing today will set aside once again the politics of these issues and focus on bipartisan, fresh ideas of how to best protect our taxpayers. Thank you, Mr. Chairman, and I look forward to working with you. The Chairman. Thank you, Senator. [The prepared statement of Senator Wyden appears in the appendix.] The Chairman. Our first witness today is IRS Commissioner John Koskinen. Commissioner Koskinen has been serving as the head of the Internal Revenue Service since December 2013. Mr. Koskinen's extensive public- and private-sector experience has prepared him to confront the many challenges facing the IRS. I have a great deal of confidence in Commissioner Koskinen. I want to thank you, Commissioner, for being here with us today. Let me introduce our second witness as well, and then we will have you give your statements. Our second witness today is Inspector General Russell George, the Treasury Inspector General for Tax Administration, or TIGTA. Inspector General George has been serving as the head of TIGTA since 2004. Mr. George has extensive public-sector experience, including working for the House of Representatives' Committee on Government Reform and Oversight. I have a great deal of respect for you also, Mr. George, and I want to thank you, Mr. Inspector General, for being here today. So if you will, Commissioner Koskinen, we will start with you. We hope you can keep your remarks within 5 minutes, because I am sure we are going to have a lot of questions. STATEMENT OF HON. JOHN A. KOSKINEN, COMMISSIONER, INTERNAL REVENUE SERVICE, WASHINGTON, DC Commissioner Koskinen. Chairman Hatch, Ranking Member Wyden, and members of the committee, thank you for the opportunity to appear before you today to provide information on the recent unauthorized attempts to obtain taxpayer data through the IRS's Get Transcript online application. Securing our systems and protecting taxpayer information are top priorities for the IRS. Even with our constrained resources as a result of repeated decreased funding over the past few years, we continue to devote significant time and attention to this challenge. At the same time, it is clear that criminals have been able to gather increasing amounts of personal data as the result of data breaches at sources outside the IRS, which makes protecting taxpayers increasingly challenging and difficult. The unauthorized attempts to access information using the Get Transcript application were made on approximately 200,000 taxpayer accounts from questionable e-mail domains, and the attempts were complex and sophisticated in nature. The attempts were made using taxpayers' personal information already obtained from sources outside the IRS. It should be noted that the third parties who made these unauthorized attempts to obtain tax account information did not attempt to gain access to the main IRS computer system that handles tax filing submissions. The main IRS computer system remains secure, as do other online IRS applications such as ``Where's My Refund?'' To access Get Transcript, taxpayers must go through a multistep authentication process to prove their identity. They must first submit personal information, such as their Social Security Number, date of birth, tax filing status, and home address. The taxpayer then receives an e-mail from the Get Transcript system containing a confirmation code that they enter to access the application and request a transcript. Before the request is processed, the taxpayer must respond to several so-called out-of-wallet questions designed to elicit information that only the taxpayer would normally know, such as the amount of their monthly mortgage or car payment. During the middle of May, our cyber-security team noticed unusual activity on the Get Transcript application. At the time, our team thought this might be a ``denial of service'' attack, where hackers try to disrupt a website's normal functioning. They ultimately uncovered questionable attempts to access the Get Transcript application. Of the approximately 100,000 successful attempts to access the Get Transcript application, only 13,000 possibly fraudulent returns were filed for tax year 2014, for which the IRS issued refunds totaling $39 million. We are still determining how many of these returns were filed by actual taxpayers and which were filed using stolen identities. For now, our biggest concern is for the affected taxpayers to make sure they are protected against fraud in the future. We have marked the accounts of the 200,000 taxpayers whose accounts were attacked by outsiders to prevent someone else from filing a tax return in their name, both now and in 2016. Letters have already gone out to the approximately 100,000 taxpayers whose tax information was successfully obtained by unauthorized third parties. We are offering credit monitoring at our expense to this group of taxpayers. We are also giving them the opportunity to obtain an Identity Protection Personal Identification Number, or IP PIN as it is known. This will further safeguard their IRS accounts. We are also in the process of writing to the 100,000 taxpayers whose accounts were not accessed to let them know that third parties appear to have gained access from outside the IRS to personal information such as their Social Security Numbers and other information. We want them to be able to take steps to safeguard that data. The Get Transcript application has also been taken down while we review options to make it more secure without rendering it inaccessible to legitimate taxpayers. The problem of criminals using stolen personal information to impersonate taxpayers is not a new one. The problem of tax refund fraud exploded from 2010 to 2012. Since then, we have been making steady progress both in terms of protecting against fraudulent refund claims and prosecuting those who engage in this crime. Over the past few years, almost 2,000 individuals were convicted in connection with refund fraud related to identity theft. Additionally, as our processing filters have improved, we have also been able to stop more suspicious returns at the door. This past filing season, our fraud filters stopped almost 3 million suspicious returns before processing, an increase of over 700,000 from the year before. But the criminals continue to become more sophisticated and creative. For that reason, as the chairman noted, we recently held a sit-down meeting with the leaders of the tax software and payroll industries and State tax administrators. We all agreed to build on our cooperative efforts of the past and find new ways to leverage this public-private partnership to help battle identity theft. We expect to announce more details shortly. Congress plays an important role too, and can help by approving the President's 2016 budget request, which provides for $101 million specifically devoted to identity theft and refund fraud. And as Senator Wyden noted, a key legislative request, among others in the budget, is a proposal to accelerate information return filing dates generally to January 31st of the year following the year for which the information is being reported. That would assist the IRS in identifying fraudulent returns and reduce refund fraud related to identity theft. Chairman Hatch, Ranking Member Wyden, and members of the committee, this concludes my statement, and I would be happy to answer your questions. [The prepared statement of Commissioner Koskinen appears in the appendix.] The Chairman. Well, thank you, Mr. Koskinen. I will turn to Mr. George. STATEMENT OF HON. J. RUSSELL GEORGE, TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION, DEPARTMENT OF THE TREASURY, WASHINGTON, DC Mr. George. Thank you, Chairman Hatch, Ranking Member Wyden, members of the committee. Thank you for the opportunity to discuss the data breach that occurred at the Internal Revenue Service. On May 26, 2015, the IRS announced that criminals had used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through the IRS's Get Transcript application. Our Office of Investigations continues to investigate this incident, coordinating with other Federal enforcement agencies. According to reports we received from the IRS, which we have not yet validated, an individual or individuals succeeded in clearing an authentication process that required knowledge of prior information about the taxpayer, including Social Security Number, dates of birth, tax filing status, street addresses, as well as answers to personal identity verification questions that typically only the taxpayer would know. Security of taxpayer data has been designated by TIGTA as the top concern facing the IRS since fiscal year 2011. Due to the significant risks in this area, we currently have an audit underway to assess the IRS's processes for authenticating taxpayers at the time the tax returns are processed and when accessing IRS services. Information obtained from data breaches in recent years and increased availability of personal information on the Internet have resulted in a weakening of controls used to authenticate individuals accessing personal data. The risk for this type of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering taxpayers' self- assisted, interactive online tools. More avenues for online assistance also mean more opportunities for exploitation by hackers and greater risk to the IRS and taxpayers. In prior audits, we have identified a number of areas in which the IRS could better protect taxpayer data and improve its overall security posture. For example, we found that the IRS had not always applied high-risk computer security upgrades, known as ``patches,'' to help ensure IRS systems were protected and operated securely. In another audit, we found that the IRS office responsible for addressing cyber-attacks was not monitoring a significant percentage of IRS servers, which puts the IRS's networks, data, and applications at risk. The IRS is continuously under attack by those using the tax administration system for personal gain in various ways. These attacks and the methods used to perpetrate them are constantly changing and require constant monitoring by the IRS. Two of the most pervasive frauds currently being perpetrated that impact tax administration are the phone impersonation scheme and identity theft. In summary, the IRS faces the daunting task of protecting its data and IT environment from the ever-changing and rapidly evolving hacker world. This incident that is the subject of the hearing provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers, who are anonymous, persistent, and have access to vast amounts of personal data and knowledge. The IRS needs to be even more vigilant in protecting the confidentiality of sensitive taxpayer data. Otherwise, as shown by this incident, taxpayers can be exposed to the loss of privacy and to financial damages resulting from identity theft or other financial crimes. We at TIGTA are committed to our mission of ensuring an effective and efficient tax administration system and preventing, detecting, and deterring waste, fraud, and abuse. As such, we plan to provide continuing audit and investigative coverage of the IRS's efforts to effectively protect sensitive taxpayer data and investigate any instances of attempts to corrupt or otherwise interfere with tax administration. Chairman Hatch, Ranking Member Wyden, and members of the committee, thank you for the opportunity to share my views. [The prepared statement of Mr. George appears in the appendix.] The Chairman. Well, thank you, Mr. George. Let me start with you, Inspector General George. In your written testimony, you said that TIGTA has designated the security of taxpayer data as the top concern facing the IRS in every year since 2011, as you stated here today. But in spite of your concerns, the IRS has not implemented many of TIGTA's audit recommendations about how the IRS can strengthen its IT security. You noted that as of March 2015, the IRS had not implemented 44 of TIGTA's audit recommendations about information technology security, 10 of which were more than 3 years old. Beyond that, the IRS had disagreed with another 10 recommendations about IT security. Mr. Inspector, if the IRS had fully implemented TIGTA's past recommendations about IT security, do you believe that the recent attacks on the Get Transcript application would have been successful? Mr. George. I cannot at this stage, Mr. Chairman, give you a definitive answer as to whether or not it would have been possible. But I can say it would have been much more difficult had they implemented all of the recommendations that we made. The Chairman. Thank you. Mr. Commissioner, in your testimony, you acknowledge that the use of stolen identities to perpetrate tax fraud has really exploded in recent years. Now, due to the theft of personal information from your agency, there are more than 100,000 new identities on the international black market, and as many as 13,000 new fraudulent returns have been filed, at a cost to taxpayers of up to $39 million. When it comes to identity theft and tax fraud, I do not think we can adopt a ``pay and chase'' mentality, or we will lose every single time. Stolen identities are a significant problem, but also not a problem that your agency can solve on its own. What your agency can solve is the ease with which criminals then use this stolen information to obtain fraudulent tax refunds. News reports indicate that the recent IRS identity thieves may have been in Russia. Two years ago, TIGTA found large numbers of fraudulent refunds issued to Bulgaria, Lithuania, and China. Now, I am not asking you to speak about the new investigation, but can either of you tell the committee about what more can be done to stop these thieves from robbing the Treasury both at home and abroad? And do you feel like you have received the adequate cooperation of the Justice Department and others in finding and stopping these perpetrators? Commissioner Koskinen. Well, it is, as noted, an increasingly complicated challenge everyone faces in the financial world. I would just note, as a correction, there are not 104,000 new stolen identities. Those identities were stolen before the transcripts were accessed. What is available now is, for those transcripts out there, more details to go along with those stolen identities, and that is part of the problem. As there are breaches across the private sector or across the economy, all of that data is being collected by organized criminals who have a database in what is the so-called dark net that exceeds the amount of data that is in the regular web that we all use. So it is, as the Inspector General says, an increasingly complicated challenge. What worked yesterday, what worked a year ago, may not be working anymore today. So you continually have to attack that problem. We work very closely with the Inspector General and value their input, and, in fact, in many cases we ask them to do tests, to do reviews and audits of the security and the IT systems as we go forward. In response to your question, we have looked at that in terms of the suggestions made about improvements we could make. Virtually all of the reports we have had recently have appropriately looked at our security with regard to our basic database. Those reports and those recommendations did not deal with the e-authentication process for this website. The problem with the e-authentication process for the website is, what was a perfectly good security mechanism that was used by private- sector financial institutions and others, as the Inspector General says, is being overtaken by events. The Chairman. In too many cases, foreign criminals are reaching into the Federal Treasury from abroad. Now, do you get adequate cooperation from foreign governments? Commissioner Koskinen. Well, we get very good cooperation from the Justice Department. As I noted, with our Criminal Investigation Division, and working with TIGTA, we have thrown almost 2,000 people in jail. Our resources there--we have 300 fewer criminal investigators than we had 4 or 5 years ago. It is a problem when you find, as we do, that an increasing number of the attacks are coming from criminal syndicates in Eastern Europe and Asia. Extradition, finding, tracking those people down, is much more difficult, and, as a general matter, we do not get a lot of cooperation. The Chairman. Okay. Senator Wyden? Senator Wyden. Thank you very much. Commissioner, at a hearing in March, I pointed out that with the increased sophistication of those involved in taxpayer ID theft, it looked to me like the work of organized crime. I understand that you have since stated that most of taxpayer ID theft involves organized crime. You also said that the recent taxpayer ID theft involved bulk attempts to access taxpayer records. Now, I know the investigation of this latest ID theft is ongoing, but from what I have seen thus far, it sure looks to me like this attack was undertaken by an organized crime syndicate that already had access to enormous amounts of data on U.S. taxpayers. Would you agree? Commissioner Koskinen. I would. As I said, there is an unimaginable amount of personal data in the hands of criminals as a result of data breaches across the economy, not only here but criminal syndicates around the world, in Eastern Europe and in Asia. And the battle is becoming increasingly more difficult, not just for us but for everyone in the private sector. In many ways, this event is a shot across the bow to remind people of the nature of the battle we are fighting and the sophistication of the enemy. Senator Wyden. And would you then say, given that you said you agreed with my description of the threat, that your challenge is making sure you are in a position to have a game plan so you can stay ahead of these increasingly sophisticated threats to our taxpayers? Commissioner Koskinen. Right. Whether we are ever going to be able to stay ahead or not is the challenge. Our goal right now is to try to make sure that we are at least even with them in understanding what is going on and being able to protect taxpayer data and taxpayers from these ongoing attacks. Senator Wyden. Let us talk for a few minutes then about the game plan that you would have to have. As I say, I think the sophistication of these organized crime syndicates is such that, whenever you close this door, they look for the next one, and that is why I talked about how we are going to try to take them on. It seems to me it comes down to having the people who have the skills and experience to combat the threats, the critical pay authority to be able to hire them, and sufficient funding to upgrade the IRS computer security systems. Are those generally the elements of the kind of strategy that you want to have? Commissioner Koskinen. Those cover most of the significant points, particularly what we call the streamlined critical pay. It is a small number of people whom we are authorized to hire, but it allows--our present head of Information Technology is on streamlined critical pay. That program worked for about 14 years, but it was not extended 2 years ago. I was just talking to our IT head. We had two very senior, sophisticated IT people we could not hire because they did not want to go through the normal government process. So it is critical to us. It is a total authorization of 40. We had 29 when I started; we are down to 16 as that program runs off. A key member of our cyber-security unit is on critical pay. Our Online Services Program Director was hired through streamlined critical pay authority. So that authority is critical for the small number of people we need who are going to be world-class experts at dealing, not only with technology, but with security. Senator Wyden. What does this committee need to do--because you have heard Chairman Hatch and I indicate we want to work with you on a bipartisan basis to address this. What does this committee need to do to assist you in executing this game plan to make sure, for example, you have an adequate number of people in cyber and these kinds of issues? Commissioner Koskinen. Well, I appreciate the chairman's note that we need to work on this together. This is not an issue that has a political overtone to it. This is a challenge that faces every American, faces every company in this country. As I noted, if we could get W-2s and information returns earlier, it would allow us to be more effective in protecting against identity theft. To the extent that we could get authority to, in fact, adjust the way Social Security Numbers are produced on W-2s, it would help us ensure that those W-2s are not fraudulent. There are other legislative supporting issues, including streamlined critical pay, that would be very helpful. And, obviously, I think the chairman is right. We have not made a point in this presentation that budget is an issue, but we are running an antiquated system with some applications that are 50 years old. In some cases, as the IG noted, we have not even been able to provide patches for all of the upgrades. Some of our systems do not have patches because they are no longer supported by the providers. So we obviously do need jointly to figure out what it takes to make sure that this system is able to protect people. Senator Wyden. Commissioner, thank you. It just is clear to me that if you have IT from the Dark Ages, you are not going to be able to stay on top of these kinds of problems. So I am committed to working with you, and I also mentioned in my opening statement there are some very good people in the technology sector, people who run major tech firms, whom I think would also be available to work with you all. So we are committed to making sure that you understand there is a bipartisan effort to help you put that game plan in place. Thank you, Mr. Chairman. The Chairman. Thank you. Senator Grassley? Senator Grassley. First of all, Mr. Koskinen, I thank you for coming for this conversation, and the reason for that is that the theft of personal private tax information of over 100,000 taxpayers is deeply concerning, because our whole tax system is based on the proposition of voluntary compliance and privacy and all that. So I am asking about a letter I sent to you asking a number of questions related to the data breach, and I do not expect those answers now, but I want to find out when I am going to get answers to my letters. This would include requests for documents that should shed light on whether the IRS carefully considered security risks prior to instituting the Get Transcript online service. My letter asks that you provide a response by June 4th, and it was sent last week. Some examples of what we are concerned about are whether or not you had a risk assessment plan, an implementation plan, and mitigation plans. Those are some of the documents I am asking for. Do you have any idea where my request stands in the process? And do you expect to be able to fully respond to my letter by June 4th? And if not, when do you expect that I would be able to get a response? Commissioner Koskinen. That is a good question. As you know, and as I committed to the chairman at my confirmation hearing, we treat letters from the Hill very seriously. They are a high priority. Sometimes we get a request to give a response within a week to a lot of data that is difficult for us, but our goal is to, in fact, not delay this any longer than necessary. The amount of information you want probably makes it unlikely we will get it by the end of this week, but certainly by next week we expect to be able to provide you that data. The chairman has a pending request to us, a very thoughtful request, about our entire IT program, which is in the process of coming back to him. It has taken longer than we would like, but it is going to be 40 or 50 pages long, with very, I think, instructive detail--I found it interesting to read--about the priorities we have, the challenges that we have faced over time, and how we have responded to those. But we will point out to you that we take risk seriously. When this Get Transcript was put up, when any new application is put up, we look at the security risks. Whenever we have a new program, we work with the Inspector General to see that it is being set up appropriately, that there are appropriate protections. And so, it is an important question, one that, as we move along--not only do we have risk mitigation plans when we start, we monitor as we go forward each year what are the schemes, what is going on with identity theft, where are the attacks coming from. We are pinged, as it were--not necessarily attacked but just people checking to see where we are and what they might be able to find--over a billion times a year. So we have security going on every day. The Chairman. If I can interrupt, we have a vote on. Senator Grassley will finish his questions, and then next is Senator Carper. And I will try to get back by then. If not, after Senator Carper is Senator Enzi. Senator Grassley. Okay. The Chairman. So, in that order. Senator Grassley. Yes. Well, I think I heard you say that you will fully respond. It may not be by June 4th but next week. Thank you. Mr. George, IGs are very important offices as far as I am concerned. Did your office evaluate the security measures put in place by the Get Transcript service either before or after it went online? And if so, what were your office's findings? Did the IRS fully comply with any recommendations you may have made? Mr. George. Mr. Grassley, we did take a look at an earlier iteration of the Get Transcript program and at that time made some recommendations that we believe were implemented. We have not taken a look at a subsequent version of it until now. But obviously we will be looking at that. Senator Grassley. Okay. Mr. Koskinen, reportedly the attacks began in mid-February, but the IRS failed to notice suspicious activity until mid-May. Why was the IRS not able to detect the malicious activity when it initially began? Commissioner Koskinen. Last filing season, there were 23 million successful downloads on the Get Transcript application, so it is a huge volume. We now know when it started by going back through our logs. We log every transaction. They were shrouded under the huge volume of requests going out legitimately. When the filing season ended, I think what happened was that the volume dropped--not ``I think.'' I know it dropped, and then it suddenly started up again. But, by that time, the volume of legitimate requests had dropped, and the activity became visible to us. I am not sure that people expected it to be visible, but anyway, that was when we found it. It was in mid-May when we noticed it. As I say, first we thought it was a denial of service attack, because things were backing up in a way that was unexpected. Within a couple days, our security people went through and figured out it was not that; it was, in fact, unauthorized attempts to access the data. And as soon as they found that out, within a day or two they sat down with us. We advised the Hill, and as I say, I am delighted that we have been able to notify the 104,000 taxpayers already. Senator Grassley. My time is up. Thank you. Senator Carper. Thanks, Mr. Chairman. Gentlemen, welcome. It is great to see you both. We appreciate your presence today. We appreciate very much your service to our country. I want to start off by going back to Commissioner Koskinen talking about what the IRS is doing in reaching out to those citizens, those taxpayers whose information has been or may have been compromised to try to help them in a time of uncertainty and probably a time of considerable concern and worry. A lot of us use the Golden Rule to kind of guide us in our lives: treat other people the way we would want to be treated. Tell me how the IRS is, if you will, using the Golden Rule to reach out to the people whose information may have been put at risk, or has been put at risk. Commissioner Koskinen. The investigation is still going on by ourselves, by the Inspector General, but one of our concerns was, as soon as we knew that there had been inappropriate access and data had been released, our first concern was taxpayers. We regret that this attack took place. We understand that it is a traumatic event for taxpayers. We work with taxpayers as victims of identity fraud every filing season, virtually every day. So our goal was, even while we were trying to get to the bottom of it, once we were able to identify the taxpayers whose information had gone out, our goal was to get that notice to them as quickly as we could. We secured their accounts--we secured the accounts of the other 100,000 even though no data went out--so that there would not be false refunds available to be filed against their Social Security Numbers. As I say, we have completed the mailings to the 104,000. We are offering them, at our expense, credit protection. We are also offering them the option to authenticate themselves and get an Identity Protection PIN, or an IP PIN, to give them even further security as they go forward. So we have done everything we think we can do, and most importantly, we have done it as quickly as we could, because we think it is important for them to have that information. Senator Carper. Thank you. Just very briefly, did you say the letters have been sent or are being sent? Commissioner Koskinen. The letters are all in the mail. Senator Carper. And when would you expect---- Commissioner Koskinen. The letters for the 104,000. We are now processing the letters to the 100,000 where no data escaped, but we think they need to be notified that we have evidence that criminals have access to their personal information. Senator Carper. Do those letters include phone numbers that people can call to have further conversation and gain some further assurances? Commissioner Koskinen. There are numbers to call, although, as you know, the ability to get us on the phone is not as good as we would like it to be, so we have posted information on our website. We are suggesting they go to the website first if they have questions. And we have already had some people showing up at our Taxpayer Assistance Centers, and we are providing them assistance as well. Senator Carper. All right. Sometimes people ask me why I have had some success in my life. I always say, ``I have always surrounded myself with people smarter than me.'' My wife has often said, ``It is not hard to find them.'' But I want to talk about--I want to go back to the issue of streamlined critical pay. I would like for us to think--and I will ask you to answer for the record. If we were to restore this program, which I think ended in 2013---- Commissioner Koskinen. Yes. Senator Carper. If we were to fully restore and fund this program, what would be the cost of that on an annual basis? Compare that for us with the cost of this breach. What is this costing the Treasury as we attempt to respond to it, at least to date? You do not have to do that right now, but if you have it off the top of your head, that would be fine. I would love to know what kind of return we would get on the investment if we were to restore this program. Commissioner Koskinen. The Inspector General did a review of the program that he published last December, and, as a general matter, it appeared that the cost to the Government was $400,000 or $500,000 a year, because, you know, the pay increase differential is relatively modest. We only had about 30 people who had taken advantage of it. And some of them get paid less than senior SESers. So for the $400,000 or $500,000, we think you get a great return. As I say, the 13 million returns that went through with refunds out of the 104,000 have refunds totaling $39 million. Now, some of those will turn out to be real taxpayers, but obviously the return on the investment is significant. As I said, the head of our IT program, who is wonderful, is a streamlined critical pay guy. We lost the three people who were great data analytics people, including an expert on authentication. Senator Carper. Thank you. Inspector General, can you give me a number, 10 to 1, 50 to 1? Mr. George. I do not know that we have a number. Senator Carper. I am going to ask you to just respond to that for the record, if you would. Mr. George. We will, to the extent that we can, but I would say that we did find that the program was operated successfully, and it was justified. [The information appears in the appendix on p. 44.] Senator Carper. Okay. Thank you. Outside help--you are not in this by yourself. You have other Federal agencies that have responsibilities to be of assistance to you at the IRS, and one of those is the Department of Homeland Security. I would just ask you for the record what help have they provided, and is there more that they and other agencies should be doing? Commissioner Koskinen. We have regular communications with Homeland Security. I have met with the Secretary of Homeland Security, actually at your suggestion. They provide us technical expertise. We alerted them immediately, even when we thought it was just a denial of service attack, that this was an issue they needed to know about. We alerted the Inspector General. Homeland Security has been very supportive, and what they provide is updated information about what they are seeing across the spectrum. So there is a good working relationship across the Government of agencies under attack trying to see what are the patterns, what is going on, and what can we learn from each other. Senator Carper. All right. Thank you both very much. Senator Enzi? Senator Enzi. Thank you, and thank you, Mr. Commissioner and Mr. Inspector General, for being here. I read your testimony. I thought of some other possibilities for the data breach, and I was reminded of them when I filed my taxes. I had overpaid, and I do not have electronic transfer to the bank, because I am not going to share that information with the IRS or anybody else. So I received my tax refund in an envelope, of course, a paper check, and what surprised me was, in the envelope there was also a flier from the Consumer Financial Protection Bureau. Now, the Consumer Financial Protection Bureau has the power to examine and impose reporting requirements and all kinds of regulations on financial institutions and on personal information. They are collecting everything. People are worried about the National Security Administration. They ought to worry about the Consumer Financial Protection Bureau. They are getting all of our data all of the time, and that is one of the possibilities for a security breach. I do not believe the authority extends to the IRS to solicit Americans' stories about their money through the Consumer Financial Protection Bureau. Additionally, since the Consumer Financial Protection Bureau is funded by a transfer of non-appropriated funds from the Federal Reserve System's combined earnings before it ever gets to the general fund, I question whether it is appropriate to use taxpayer dollars to advertise the Consumer Financial Protection Bureau as the IRS did by including this mailing with the tax refunds. And, lastly, because the CFPB is supposed to be an independent organization, I do not believe the Treasury Department should be soliciting information on behalf of the entity. So I would appreciate answers to the following questions. Some of these will be more detailed than the time that we have for them, but I would like to know what authority the Treasury Department relied on to include that information in the IRS tax refunds. What agency paid to print and mail those fliers? Have you respected all the boundaries concerning confidential taxpayer information? Could hackers be getting data from the Consumer Financial Protection Bureau that is used with the IRS from data that maybe the IRS is sharing with that department? Mr. Commissioner, could you--some of those I will put in more detail for written answers, but my best chance of getting an answer is right now. So how did that happen to wind up in my statement? Commissioner Koskinen. I am delighted to respond. First, I should make a correction to the record. I just talked about 13 million returns. It is 13,000 returns had a false refund, potentially false refund. There may have been real taxpayers in my previous question. With regard to this, we often provide taxpayers with information that may be of interest or support to them, particularly in financial matters. We do not share--under our protection of taxpayer data--information with other Federal agencies unless there is a specific statutory authorization for that, and to my knowledge, there is not one with the Consumer Financial Protection Bureau. I will be happy to get you further details as to who paid for the flier, why it was put in there. Generally, if we provide information to taxpayers, it is for their assistance, for their information, in ways that may be helpful to them. We are not asking for them to provide us additional information in those filings, but we will get you more detailed information, and I will get you that answer, again, if you will provide the detail of that question. Do not wait for the record. If you will just send me a note, I will get you the answer back quickly. Senator Enzi. Okay. I will be asking you some questions about that, because I know there is even a cost to putting something in an envelope. A different question. Some unlicensed tax return preparers maybe are preying on uninformed taxpayers, and I did not exactly see that in the testimony, but I know that is one of the possibilities for places where people may be getting the information. To what degree is the IRS working to eliminate these fraudulent taxpayer return people? Commissioner Koskinen. We monitor tax preparers. We have actually had criminal prosecutions against a number that have taken advantage of their clients. We are concerned about, not only criminal tax preparers, but uninformed tax preparers, and, as you know, we requested legislation that would allow us to require minimum qualifications for a tax preparer. If you go into particularly low-income or immigrant communities, you will see people advertising, ``Come with us. We will get you a big refund.'' They do not say, ``Whether you are entitled to it or not,'' but that is basically what they are up to. And so, to the extent we can, we have a voluntary program that provides continuing education for tax preparers who want to sign up, but we do monitor fraudulent returns, and, if there is a pattern that they come from an individual preparer or group of preparers, we refer those cases for prosecution. Senator Enzi. Thank you. I appreciate you being here. The Chairman. Well, I think I might as well ask a couple questions. But first we will go to the senior Senator from Kansas. Senator Roberts. Well, thank you, Mr. Chairman. Gentlemen, thank you for coming. Thank you for endeavoring to get to the bottom of this and come up with some answers. I must tell you, just the other day, when coming back to Washington on an airplane from Kansas, somebody leaned over and said, ``What is this business with the IRS?'' And I responded with regards to what I thought was his concern with regards to the ongoing targeting of conservative groups applying for exempt status. He says, ``No, no, no, no, no. There has been an attack.'' I said, ``Oh, well, we have a breach. We have a cyber-attack.'' He said, ``Well, what was that all about?'' And I said, ``Well, we do not know yet, but we are going to have a hearing, and I know we can try to get to the bottom of it. But what we do know is that this is a foreign hacker, probably from Russia, probably Russian mafia.'' There was a long pause, and he looked at me, and he said, ``I do not really have anything more to say.'' So this whole thing just rendered him speechless, and I think a lot of people are in the same boat. And it is a paradox of enormous irony. My staff tells me that just prior to this breach, privacy experts went in to brief them weeks ago, just weeks ago, on how safe data was contained in the Get Transcript system and how it was safe, and that is a ``was'' now, not an ``is.'' I do not think this is a new threat. I know it is not to both of you. The agency, the Inspector General, the GAO, and the committees with oversight have been concerned about these threats for years. GAO reported this March that the data under the control of the IRS is ``unnecessarily vulnerable to inappropriate and undetected use.'' I agree with Senator Wyden. There is a war going on. On one side we have the government, taxpayers, and business, and on the other, hackers and criminals, organized syndicates, some lone wolves, perhaps even national governments. Right now, it looks like we are losing this war, so we certainly need to use this latest breach to consider how we can regroup and win the fight. My concern is whether the IRS has the tools and mind-set to achieve better security and whether it is even capable of safeguarding this core function. I am very concerned that, in a rush to push out programs like Get Transcript--albeit this was pushed out some time ago--we have let access and purported cost savings overtake the absolute need to safeguard taxpayer information. So to the Honorable John Koskinen, thank you for coming, sir. To what extent do you partner with the private sector on data security? Do you need any additional flexibility or authority to work with outside experts to make sure you have access to the tools and the technology to address the privacy and also the data security issues? Commissioner Koskinen. We have an ongoing partnership with various elements of the private sector. We have a great working relationship with financial institutions that work with us on stopping improper refund payments. As I noted, we pulled together 3 months ago what we call a ``Security Summit,'' where I asked the CEOs of the major tax preparers, tax software providers, and State tax administrators to sit down with us, and I told them when we started: ``The purpose of this meeting is not for me to tell you what we are going to do or what you ought to do. The purpose of this meeting is to start a partnership where we work together to figure out how the three of us--the private sector, States, and the Internal Revenue Service--can work together in the battle. Senator Roberts. Is that ongoing? Commissioner Koskinen. And that is ongoing. We expect probably next week to give a public discussion of what we are going to do for the next filing season. But I told them it is not just for the next filing season. We need to begin to take a look at, on a longer-term basis, what are the things we need to do. One of the issues we may need to discuss, although we think we have the authority, is the private sector noted that they need a level playing field, so if we come up jointly with requirements as to sharing of data or the implementation or what we are going to require from taxpayers, we are the only ones who can require that across the board so that one person is not getting an advantage. And we will do that if necessary, and, if we need legislation, we will be back. But thus far, it has been a wonderful working relationship. Senator Roberts. I appreciate that. My time is running out. I just have one more question for Mr. George. I understand the IRS has shut down the Get Transcript program for the time being, and this hack has been stopped. But in looking at this program moving forward, how should we close the door to future attacks? How will you know that we have even succeeded in shutting the door? Mr. George. Great question, Senator. I do not have a definitive answer at this time. As the IRS is attempting to make the experience between the taxpayer and the IRS more user- friendly, they are giving people opportunities to access information in ways that heretofore did not exist. It is a true challenge for the IRS to strike a balance between ease of access and security. Now, the private sector, as has been pointed out, has experienced these types of problems. They have adapted, acquired different systems that would allow people to further authenticate who they are. There is a cost associated with doing that, and whether or not the IRS is in a position right now, resource-wise, to do that, I would defer to the Commissioner. But, sir, if I may, Mr. Chairman, one thing I do want to clarify is, we are still again at the outset of this investigation, but there have been reports that this data breach originated solely from Russia, and I want to make it clear that is not the case. It is beyond Russia. So I just wanted to get that on the record. The Chairman. When you say ``beyond Russia,'' what do you mean? Mr. George. That there are other domains--the domains are located in nations other than Russia, in addition to Russia. Commissioner Koskinen. I would just note that our experience with the criminal syndicates we are dealing with is that they are not limited by national boundaries. They are, in fact, operating globally. They are located and headquartered oftentimes in one country or another, but they are not constrained by geographic locations. And so our experience is, analyzing the data of the Inspector General, this is coming from several different, perhaps organized--clearly, it was an organized attack--but our experience in looking at syndicates around the world is that they cooperate when it is in their interests, and they cross national boundaries very easily. Senator Roberts. Mr. Chairman, it occurs to me that perhaps we could have something called a ``National Security Agency'' or something that could monitor this kind of data and then see how the phone calls come in. Something like that might---- The Chairman. Sounds like a good idea. Senator Roberts. Yeah, it sounds like a good idea to me. Could I simply ask that a New York Times article which contains a statement by Nina Olson, who leads the Taxpayer Advocate Service, an independent office at the IRS, be inserted in the record at this point? I apologize to my colleagues for going over time. The Chairman. Without objection. [The article appears in the appendix on p. 63.] The Chairman. Now, before I go to Senator Isakson, have you pinpointed any country or countries from which this came? Mr. George. Yes, but, again, we have to be careful because of the active investigation, Mr. Chairman. But as the Commissioner pointed out, you could be in Florida and you can use, you know, a router or a server in a different country on the other side of the world. I mean, eventually we are able to track them down, but at this stage, with the report that it was solely Russia, that is not accurate. The Chairman. That was just a speculation, as far as I was concerned. But you are not in a position to name any country or countries? Mr. George. At this stage, I would prefer not to publicly, but privately we would certainly share that information with you, Mr. Chairman. The Chairman. Fine. Senator Isakson? Senator Isakson. Thank you, Mr. Chairman. I would be happy to defer if you are in a hurry. You know, I think it is ironic. Senator Roberts made an interesting observation, but for the last 6 days, the United States Senate has been debating the merit of whether or not 41 members of the NSA should have access to two phone numbers, the date of a call, and the duration of the call, without any personally identifying information whatsoever. We are getting ready to take that authority away from them, yet we have the Commissioner of IRS talking about 104,000 Americans who had their identities stolen. And when I file my tax return on April 15th, they know how much money I make, how much my wife makes, what church I go to, whom I give the money to, whether or not I had a casualty loss, where I buy stocks, where I buy bonds, where my money is deposited, and how much I owe on my house. So I just want to put things in perspective, that this is an important hearing, but that information is a lot more private, a lot more personally identifying, and a lot more dangerous for the average American citizen than whatever the NSA ever does, and they are looking out for our physical safety. I just had to make that statement. Secondly, it is ironic---- The Chairman. You summed that up very well. Senator Isakson. Thank you. Experian just e-mailed me to tell me my credit card has just changed and I need to check with them on the potential of identity theft having taken place, and that just came in at 10:24 on my BlackBerry. I had mine stolen about 3 years ago, and I want to commend the Department, the Internal Revenue Service, for providing taxpayers whose identities have been breached with the right type of Experian or Equifax protection to see to it their identity is protected, just like mine is being protected because of the loss that I had. I guess my question is on the IP numbers. Georgia is one of the States--there are three: the District of Columbia, Georgia, and I have forgotten the name of the other State where---- Commissioner Koskinen. Florida. Senator Isakson [continuing]. Florida, where the IRS gave taxpayers the option to apply for an IP number, which is a self-identifying number for a tax return. Is that correct? Commissioner Koskinen. That is correct. Senator Isakson. And there are a million and a half of those IP numbers now issued. Is that right? Commissioner Koskinen. A million and a half are issued to those who have been victims of identity theft. We have had the pilot program where we had a few thousand. We are trying to get more people--we are running it as a pilot to see what the costs would be and the burden would be. We have had a relatively modest take-up on that, but we are encouraging taxpayers to take advantage of it. Senator Isakson. Have you found it to be a foolproof system yet, or is that why you are doing a test? Commissioner Koskinen. We are doing the test primarily to see what the burden on taxpayers is and what the cost to the IRS is. It is foolproof to the extent that you do not lose it. What happens with Social Security Numbers is they are, you know, out in the world. They are used for children's identification in school. On everybody's Medicare card is a Social Security Number. The IP PIN has no other use, so our experience thus far is we can authenticate to make sure that the taxpayer who gets the IP PIN is the legitimate taxpayer. If they keep it secure, there is no way anybody gets access to that number, and their returns, therefore, are safe. Senator Isakson. It would seem to me that if the trial that you are doing in Georgia and Florida and the District works and does seem to be foolproof, you would give every American taxpayer the ability to apply for one of those. I mean, you would not want to make them take one for fear of some sinister government plot somewhere, but you would certainly give them all the opportunity to get one. Commissioner Koskinen. Right. Our challenge, what we are looking at with the PIN is, if people lose it, we have a lot of people then--if we get, for instance, 50 million people with IP PINs and half of them lose them, we are going to end up with a tremendous amount of background noise just trying to make sure we get them the right PINs and replacement PINs. So that is one of the things we are looking at: how does it work when you have people who otherwise have not been victims sign up? But it is ultimately a way to go. When we get down to the bottom of it, our analysis over 4 or 5 years is, authentication is going to turn out to be the key, whether it is authenticating you to get an IP PIN which allows you to get in--and that is what we are working on with the private sector and the States. We need to, together among all of us, have a way of sharing information about who is actually the customer. Are you who you say you are? When you call us, you know you are you, but then you wonder why we have to authenticate you to make sure you are not somebody impersonating you. So it is a multifaceted approach we are taking, trying a lot of different things to figure out, again, as the chairman said, how we get even or get ahead of the game. Ultimately, we will never put them out of business. The goal is to make it so difficult and expensive that it is not worth their while. Senator Isakson. Mr. George, I want to ask you a question. It would probably be unfair of me to ask Mr. Koskinen this question, although he is welcome to comment if he likes. But I have been thinking, as I listened to both of your testimonies, that the best way to protect taxpayer identity and limit fraud is to change the way in which we do our taxation. There is a Georgian by the name of Neal Boortz who wrote a book called ``The Fair Tax,'' which advocates going to a retail sales tax and eliminating the inheritance tax, the payroll tax, and the income tax. If you paid at the retail purchase a tax to the Federal Government to supplant those three taxes, would it not be a seamless protection against identity theft? Mr. George. I cannot give you a definitive answer on that one, Senator. Suffice it to say the more information, the earlier the IRS gets it, and an easier way of doing taxes would assist the system overall, the taxpayers and what have you. But the various proposals, such as the ones that you mentioned, I am not certain whether they would have a direct impact on identity theft. Senator Isakson. I am not necessarily selling the proposal, but what I am saying is, if I paid my tax to the Federal Government on a retail purchase and it was collected by the retailer, who does that for the States anyway, it would eliminate any of this self-identifying information, and the tax would end up being collected, which would be a protection against some of the identity theft. Mr. Koskinen? Commissioner Koskinen. I think that is right. If we did not deal with taxpayers individually, we would not have individual information. The issue globally would still exist, as with your credit card, and that is: are criminals accessing enough personal information to access your bank accounts, your credit cards, your mortgage accounts? But from the standpoint of the IRS, if we were dealing with a system where we collected funds, the government collected funds, with a value-added tax or a fair tax or something that did not require individuals to register with us, almost by definition we would not have the risk of individual identity theft, because we would not have individuals identified. Senator Isakson. Mr. Chairman, my time is up, but I want to thank Mr. Koskinen for taking the time to invite me to the Chamblee headquarters of IRS in Georgia and giving me a tour. I appreciate the connectivity that you have there. I appreciate what you are trying to do. The Chairman. Thank you, Senator. Senator Scott, we will call on you. Commissioner Koskinen. I might just note that the irony of that visit, which our employees genuinely appreciated, was the Senator and I spent an hour on a briefing on identity theft. The Chairman. Good. Senator Scott? Senator Scott. Thank you, Mr. Chairman. Commissioner, Mr. George, thank you for being here this morning. Commissioner, can you tell me how many South Carolinians have been affected or had information stolen by the breach? Commissioner Koskinen. I cannot tell you that. As I said earlier, we have sent letters to the 104,000 whose data was accessed, so anybody in South Carolina should be getting a letter in the next few days. We can go back through and get you that information. Senator Scott. That would be great. Commissioner Koskinen. We have not segregated it by State at this point. Senator Scott. Thank you very much. Whenever I go throughout South Carolina, my constituents are incredibly concerned about the IRS. They really feel like your agency is the agency that truly has the power of intimidation. So when we hear about breaches, 104,000 folks violated by this breach, my citizens are incredibly excited and passionate and concerned about the activities at the IRS, and it did not simply start with the breach. It started when we had the conversation last time about groups being targeted because of their religious beliefs or their political doctrine. It flows into the Lois Lerner e-mails and the inability to figure out if you have or if you do not have the e-mails. It continues on down the road as they call during tax season and they are unable to get someone to answer the phone, so they have these courtesy hang-ups. It is consistent, as I talk to my constituents, that their concerns continue to grow, and this breach will only add more fuel to the fire for people who are absolutely petrified by the IRS. And now having their information exposed to criminal elements, criminal cartels, is even more disconcerting. I would love to hear what it is exactly that you are doing in order to secure the IT at the IRS. And then, Mr. George, I have a question for you about the 19 recommendations that were made and only 8 were implemented. Commissioner Koskinen. What we are doing is, for years now, security has been a high priority for us. We understand, particularly with identity theft, which is based on information stolen elsewhere and then used to file a false return, that that is a difficult and traumatic situation for taxpayers. So one of our highest priorities is making sure that, if that happens to a taxpayer, they get a prompt response from us. As I have noted, we work closely with the Inspector General and GAO. We value their recommendations. In some cases, we have actually asked them to take a look at our systems and to make sure they are not breached. As I said, we get pinged, not necessarily attacked, over a billion times a year. So we are aware--no one at the IRS is under any illusions that we are not at risk--and so we spend as much time and effort and resources as we can focused on that. Anytime we make a change in a system, anytime we make a change in a new application, we look at the security aspects of it. As the Inspector General said, we are balancing off trying to provide better taxpayer service. As you noted, with the resource constraints, we did not answer the phones at anything like the rate we would like to have. We had 23 million transcripts successfully downloaded last year. Those were requests, otherwise, taxpayers would have had to make either on the phone or in person. So to the extent that we can provide better service to taxpayers, that is a high priority for us. But ultimately I take your point--we take it very seriously--that taxpayers have to feel they are going to get treated fairly, no matter who they are, no matter what organization they belong to, no matter who they voted for. And we have done everything we can. We have implemented all the Inspector General's recommendations in those regards, and I think it is important for taxpayers to know that we take their concerns seriously. They are ultimately our customers. We work for taxpayers. We do not work for anybody else. Senator Scott. Thank you, sir. I will say that, from a resourcing standpoint, it appears that during the Obama administration about $5 billion has been dedicated to the IRS for IT. Under the Bush administration, the number was somewhere around $5.3 billion. So in the last decade or so, over $10 billion for IT, and it just does not seem like the type of security that we would anticipate and expect is there. And I am running out of time, Mr. George, so, of the 19 recommendations that were made previously for corrective action, it appears that only 8 of those 19 were implemented, and perhaps some were closed before they were fully implemented. Can you shed a little light on that for me? Mr. George. I will in the amount of time that we have left, and I would ask for permission to supplement my response in writing. Senator Scott. Thank you very much. Mr. George. We have made a number of recommendations, actually a total of 44 recommendations, as of March of this year. Eighteen of those have been recommendations from security audits that have yet to be implemented. Ten of those recommendations come from five security audits that were completed during fiscal year 2008 to 2012, so they are very dated. And there are a couple of examples of some of the oldest recommendations that we made that we think might have had some bearing on the IRS's ability, if not to stop, again---- Senator Scott. Can you name just one? Mr. George. Certainly. The IRS should require system administrators and their managers to correct user account deficiencies identified during the audit. Managers need to periodically review and validate access to systems, limiting it to people who only have a need for that information. Senator Scott. Mr. George, that does not sound like a resource issue. That sounds like a management issue. Mr. George. I agree, sir. I agree there. Senator Scott. Okay. Mr. George. I agree. And if I may add just one factoid, sir, that I just think is important to point out. The 104,000 figure is used a lot. We have to keep in mind those are the records, the transcripts that were accessed. A lot more people could be affected by that, because spouses and dependents of the taxpayer, their information is contained within those reports. So at this stage, again, I cannot give you a definitive number, and I do not believe the Commissioner is in a position to do so either. But it is more than 104,000 people certainly. Senator Scott. Thank you, sir. Mr. Chairman, thank you for the time. The Chairman. Senator Casey, we will turn to you. Senator Casey. Mr. Chairman, thank you very much, and thanks for this hearing. Commissioner and Mr. Inspector General, thank you for your appearance here and your service. We appreciate it. I want to start with the issue through the lens of Pennsylvania. We have had a number of reports--and I have heard directly from law enforcement in Pennsylvania--about identity theft, and not just the broad-based or the significant challenge it presents generally, but specifically because the response to it often involves many different agencies, for example, in addition to the IRS, the Department of Justice, the Social Security Administration, and State and local law enforcement. So I would ask you first, Commissioner, about what we refer to as interagency and interstate coordination. Tell me about that in terms of what you have been able to do since you have been Commissioner. Commissioner Koskinen. When all of this, as I said, exploded in 2010 to 2012, it overwhelmed law enforcement, overwhelmed everybody. Since then, we have established very successful partnerships actually with State and local law enforcement across the country, particularly in States like Georgia and Florida where all of this seems to have started. So they, together with our working relationship with the Department of Justice and U.S. Attorneys--we have a very active Criminal Investigation Division, but we do not prosecute people, we do not bring charges. So we have to work, again, in partnership with U.S. Attorneys across the country, and that has been a very successful and effective partnership. As I said, we have thrown almost 2,000 people in jail over the last few years who have been convicted and sentenced to long sentences as a result of those partnerships. Senator Casey. One of the realities of this for a State like ours--and I am sure this is true in other States as well-- is local prosecutors, meaning District Attorneys, for example, at the county level, are among the law enforcement officials who have to confront the problem. So, Commissioner, I would ask for your commitment to work with our folks, both local officials and State officials, as well as taxpayers, on a coordinated approach to solve the problem. Commissioner Koskinen. We are delighted to do that. We have no illusion we can do this by ourselves. We need as much help as we can get, and we have a great working partnership with the investigative arm of the Inspector General as well. Senator Casey. I appreciate that. Thank you for that commitment. I want to turn to the question of resources. I know that often we in the Congress will point to a problem, and that is part of our job in terms of oversight and in terms of making sure taxpayers have their concerns responded to. But as we point fingers, we also ought to be constructive in terms of providing support. And sometimes that happens, and sometimes it does not. But I noted in your testimony, Commissioner, on page 5--and I guess I am asking a question and answering it by reading this, but on the question of resources, you say, and I quote, ``Congress can help by approving the President's fiscal year 2016 budget request, which includes $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure.'' So $101 million plus $188 million. Can you tell us what those dollars would be used for? Commissioner Koskinen. Yes. What they would do is, on the one hand, in terms of identity theft, they would improve our ability to more quickly upgrade our filter process. We have been building that for some time. We would go faster with that. It would allow us to, in fact, respond more specifically to individual taxpayers and their concerns. Most importantly, it would allow us to upgrade our basic IT infrastructure. As I noted earlier, we are running antiquated systems, some of which are no longer supported by the software companies. And I would stress this particular problem was not a question of resources. My concern about it is, it is really a shot across the bow. The overall, ongoing challenge of dealing with sophisticated criminals around the world is the security of the entire system, and that is where the weaknesses in our antiquated system come to bear. So whatever resources we can have to continue to improve the overall system will be helpful. Senator Casey. And I hope if there is anything additional, either by way of authority or resources you need when it comes to dealing with the international dimensions to this, which I am sure are challenging, I hope you indicate that to us. Thanks very much, Mr. Chairman. The Chairman. Thank you, Senator. Senator Heller, you are next. Senator Heller. Mr. Chairman, thank you. Thanks for holding this hearing. I also want to thank our witnesses for being here also. Commissioner, I want to thank you for the call we had yesterday. It was very, very helpful, and hopefully we can move forward on some ideas. In fact, I will even bring them up, for that matter, as you probably anticipated. They will not be part of my questioning, but I think they are issues that are important to my home State. I have heard from many of my constituents their strong concerns over the proposed IRS changes to the filing of information returns for reported winnings from bingo, keno, and slot machines. Due to the administrative burden proposed, 13,000 customers have signed a petition so that the reporting threshold for bingo, keno, and slot machines would not be reduced, and I too share their concerns about these proposed rules. Across the U.S., the gaming industry supports 1.7 million jobs and about $240 billion in activity--no small sum. My staff has had multiple conversations with your office in regards to these proposed rules, and I am pleased that we had that opportunity to have the same discussion between you and me yesterday. That said, I, like many other taxpayers, was frankly kept in the dark with regards to receiving responses from the IRS to better address these proposed rules. My questions were answered yesterday, some of them. I am grateful for that. Your comment period is extended, and I appreciate that, since it did take a couple months in order to get a response from your office. So, as I mentioned yesterday, my comments will be coming in the next week or so. Anyway, thank you for your help and support in extending the deadline in order to get those questions in. The chairman talked a little bit about public trust for the IRS's success, and you are familiar with that. The number of weaknesses--the ability to effectively protect taxpayers' confidentiality, integrity, and availability of certain taxpayer data unfortunately was not implemented. The Inspector General is here. He spoke on it a little bit, and you alluded to it during your testimony. It is my opinion, though, that a properly done tax reform would not only provide a simpler code, but would also provide the IRS with tools to combat tax-related identity theft and assist the victims of this crime. I told you yesterday on the phone that I am here to help. How can I help you? Commissioner Koskinen. Well, I appreciate that, and I appreciate, again, the chairman's clarity about how we need to work together on this. It is not a political issue. As we have said for some time, we need to get information returns earlier. It would be a great help to us. We need to have the authority to do what is called ``mark'' W-2s so that we can assure that they are produced by legitimate companies, not by fraudulent companies, as we go forward. We may need authority, to work with the partnership we have with the tax preparers and tax software companies as well as the States, to provide minimum requirements for data that authenticates taxpayers when they file their tax returns as we go forward. And then, ultimately, as I have noted, our discussion today is not about something that was a result of a funding shortage, but the challenge we face more broadly dealing with the criminal enterprises around the world does depend upon making sure we have adequate funding to continue to rebuild our systems to get them into what I call ``the early 21st century'' rather than the late 19th century. Senator Heller. Yes. Commissioner, a previous Finance Committee Chairman, Max Baucus, had discussed a draft that would disallow taxpayer Social Security Numbers on W-2 forms. What is your view of this proposal? I would ask the same thing of the Inspector General. Commissioner Koskinen. We have suggested that actually we just ought to get the last four digits on a W-2 form. What is more important to us is, if we can put so-called hashtags on those--and then we may need legislative authority--much like the number of companies that can provide paper that produces the money is allowed to be constrained by statute, we may need to be able to have those who produce W-2s through a competitive process be limited in number so that we can make sure that W-2s and the hashtags are appropriate as a way of, again, trying to make sure that the identifier is legitimate. Senator Heller. Okay. Mr. George, do you think that would be helpful? Mr. George. I do, actually, Senator. I agree with the Commissioner there. Senator Heller. Okay. Mr. Chairman, my time has run out. Thank you. The Chairman. Well, thank you, Senator. Mr. George, let me just ask you an unrelated question while you are here. It is an important subject. For almost a year, at our request, TIGTA has been investigating Lois Lerner's hard drive crash. Last month, TIGTA gave the committee the last of the e-mails pulled from IRS backup tapes. As I understand it, the next and final step is for you to provide us with a report on your investigation, and now that all of the recovery work is done, can we get a commitment from you today to submit your report to us on the hard drive crash by mid-June? Mr. George. I can commit, Mr. Chairman, to having it to you by the end of the month. I spoke with my chief investigator prior to this hearing in anticipation of the subject coming up. As of now, we have conducted over 100, almost 150 interviews of people related to the lost e-mails, and, as you can imagine, each interview leads to more information that needs to be tracked down. Given the nature of this matter, we need to be as thorough as possible, and we are endeavoring to do just that. And I can say there are still very important interviews to come. So we will do our level best to try to accommodate that request, sir, but I can assure you, you will have it before the end of the month, the Congress will. The Chairman. Okay. Well, we will live with that. We would like to get our final report done, if we can. Commissioner Koskinen. I would just like to go on the record saying I would be delighted to get everybody's final reports. The Chairman. I am not sure that was helpful. [Laughter.] But we are glad you are glad, is all I can say. Senator Roberts has a question or two. Then I would like to start the second round. Senator Roberts. I would like to go back to that statement I inserted for the record. Nina Olson leads the Taxpayer Advocate Service, an independent office at the IRS. And in her annual report, she noted that victims must often navigate a labyrinth of IRS operations and recount their experience time and time again to different employees. Even when cases remain in one IRS function, they may be transferred from one assister to another with significant periods of non-activity. On average, the agency took nearly 6 months to resolve cases. She added that cases were also frequently closed prematurely before all related issues had been fully addressed. She recommended that a single officer be assigned to handle each case, and then she spoke to a broader issue, which I think really sums up what we are after here. While granting taxpayers enhanced access to their tax information, which was the laudable goal that even Congress agreed to when we passed this bill, the overriding priority now must be to protect taxpayers' confidential tax information from exposure. Is that a fair statement? Commissioner Koskinen. I think, you know, as the Inspector General said and most people have said, it is a balancing act. As I say, we had 23 million successful downloads of the transcript. If those people had to call us or show up in person to get their transcript, it would have been a problem. But, on the other hand, we need to make sure that we are as secure as possible. I think what is happening across the economy is that customers and taxpayers now understand that it may be harder to get access to their accounts, whether it is a bank account or--not harder in the sense it takes you 2 weeks, but there may be more hurdles you have to go through. You may have to have more information available to be able to get access. And I think taxpayers and customers are willing now and understand the need to accept the higher level of burden. And so we are reconsidering all of our work in that context in terms of where we go. It should be noted that over 20 percent of the people who try to get their transcript downloaded cannot answer the questions, their own personal questions. But on the other hand, I think what this does remind us all is that, no matter how important it is to be providing excellent taxpayer service, we have to focus as much as we can on the security of the data, and that is a critical issue for us. Senator Roberts. Mr. George, do you agree with that? Mr. George. I do, Senator. Senator Roberts. The IRS urged taxpayers not to contact the agency, the 104,000, saying it would only delay the already overburdened staff. Anyone whose information was stolen will be contacted. Sort of like ``hurry up and wait.'' Commissioner Koskinen. Well, they will not have to wait long. The letters are already---- Senator Roberts. Have letters been sent to all the 104,000? Commissioner Koskinen. Yes--104,000 letters. Senator Roberts. And what do the letters say that the person should do? Commissioner Koskinen. They basically give instructions about how to get credit protection at our expense. They give them information about how to obtain an IP PIN if they would like one, the documentation they will have to provide. It gives them a number to call, but suggests that if they have question, they go to our website where we have provided a set of frequently asked questions about the situation and what can be done. Senator Roberts. And you are confident you have the ability to protect this information with the suggestions you have in that letter? Commissioner Koskinen. Yes. In fact, we advise them in that letter that we have marked their account so that no one else can file a return with their own information, and we---- Senator Roberts. I appreciate that. Thank you, Mr. Chairman. The Chairman. Thank you. Let me just ask--I apologize to you, Senator Carper. I should have called on you first. Senator Carper. Mr. Chairman, I have already had one bite out of the apple while you were out of the room, and I will wait my turn. The Chairman. Okay. Well, let me just--Mr. George, in 2012 TIGTA did an audit of the IRS Computer Security Incident Response Center, or CSIRC, which is responsible for preventing and detecting computer security threats to IRS systems. In that 2012 audit, TIGTA found that the IRS was not monitoring 34 percent of its servers, and you noted that, ``Without adequate monitoring of IRS servers, the CSIRC may not timely detect malicious activity or cyber-security incidents.'' Could the IRS's failure to monitor its servers lead to the type of breach that occurred in May? That is question number one. And does TIGTA plan to reassess whether the CSIRC is now actively monitoring all IRS servers? Mr. George. ``Yes'' is the answer to your first question, Mr. Chairman, and, yes, we will also be monitoring that. The Chairman. Okay. Mr. George, the IRS is planning to expand the additional online services that it offers in the coming years. One notable example is the secure messaging pilot program that is scheduled to launch in 2016 that will allow the IRS to e-mail taxpayers and practitioners about sensitive tax information, something which the IRS has not done in the past, as I understand it. In light of the recent data breach, do you have concerns about the security of online services that the IRS plans to introduce? And beyond current measures, what must the IRS do to ensure that these services are secure? Mr. George. The IRS has sent the message in the wake of a lot of these attempts to gain access to taxpayers' identity or other information, and the message was, you know, ``We never reach out to you by e-mail,'' and the like. And so they will have to engage in a public service information effort, I think, to inform taxpayers about these new ways of approaching the system of tax administration. Ultimately, it is a worthwhile goal to be able to contact people by way of e-mails and alternate ways of contacting them versus paper contact, which is much more expensive--and obviously so when you have individuals attempting to help taxpayers at Taxpayer Assistance Centers and the like. So it is a way for the IRS to more efficiently and effectively assist taxpayers to comply with their tax obligation. It is a good thing. There is no question that TIGTA will be looking at the overall proposal, how it is implemented, and the impact that it has on taxpayers. The Chairman. Well, thank you. We appreciate the service that you render. It is a tough job, both of you. Senator Heller, do you have any questions? Senator Heller. Mr. Chairman, thank you. I just have a couple of quick questions. I probably will not take all my 5 minutes, but these are issues that I think are important. The last question I asked, Commissioner, was: How can we help? And I want you to explain to me why critical pay authority should be renewed. Commissioner Koskinen. The streamlined critical pay authority has two aspects. The most important in many ways is the streamlined part, and primarily we use it for advanced- technology people. We can find somebody like the head of our Information Technology system, who worked at Boeing, and we can recruit them, and, much as in the private sector, if we find the right person, we can make them an offer, and they can accept it and start immediately. The government process requires us to go through a complicated process that takes sometimes 3 to 4 months, and for the kind of people, the handful you are talking about recruiting, they often cannot wait 3 to 4 months or will not wait 3 to 4 months. Our IT head told me we have two people we have tried to hire in the IT department who, if we had streamlined critical pay, would have come. They did not want to participate in a 3- to 5-month process and, therefore, turned us down. Senator Heller. The authority expired in 2013. Commissioner Koskinen. Correct. Senator Heller. What has been the impact between then and today, outside the story you just told me? Commissioner Koskinen. Well, we have had 29 people on streamlined critical pay authority. We were authorized no more than 40, and we never used more than 34 of them, so we did not just put people in. We are down now to 15 or 16. We have lost our Senior International Expert in Tax Enforcement. We have lost the Deputy CIO. We have lost the three people who are best at big data analysis, including our expert on authentication. Their term ran out, and we have not been able to replace them. Senator Heller. One follow-up. I do not have to tell you about your budget. You know your budget a lot better than I do. But in 2014, it is my understanding you spent in the area of $2.4 billion or 21 percent of your budget in information technology. With that budget being that substantial, do you have the experts that you need in cyber-security? Commissioner Koskinen. We at this point have the experts. In fact, a key executive in cyber-security is on streamlined critical pay. He will rotate off. Senator Heller. Okay. That was my next question. Commissioner Koskinen. If we do not have the possibility, we will not be able to get them in. Of the budget in 2014, about 80 percent of it goes to simply operating and maintaining our system, so that our challenge in 2014 was, for instance, we asked for $300 million in IT to implement the Affordable Care Act. We got zero. So we had to take $300 million out of other IT programs, and the same thing happened in 2015. Senator Heller. Do you feel you have well-qualified hires? Commissioner Koskinen. We have a spectacular workforce. It is the best workforce I have ever dealt with, and I have dealt with a lot of different enterprises in the private sector for 20 years and in the government. It is a dedicated workforce. Even with all the pressure and sometimes the abuse they take, they are dedicated to the mission, and the mission is based on helping taxpayers. Senator Heller. Okay. Commissioner, thank you. Mr. Chairman, thank you. The Chairman. My understanding is that Senator Carper would like to ask a couple of questions, but first I would like to thank both of you for being here, and I appreciate the testimony you have given here today. Mr. Koskinen, you have a tough job. There is no question about it. I do not know anybody who approaches it with a smile like you do, and I would be upset every day. And I think there is something wrong with you that you are not upset every day. [Laughter.] On the other hand, I know you are. And, Mr. George, we are very pleased with the hard work that you do--and your group down there. It is important that we have both of you working in the best interests of our country and of our taxpayers, and I really have appreciated you over the time that I have known you and the time you have been advising the committee. Mr. George. Thank you, Senator. The Chairman. With that, we will turn to Senator Carper, and hopefully finish up with Senator Carper. Senator Carper. Thanks, Mr. Chairman. I am an old State treasurer and an old Governor, and I have been thinking about these attacks on the IRS. And, as you know, there are 50 States. They all have their own divisions of revenue. Has anyone given any thought to how to better help them prepare to defend information and defend their treasuries from attacks like this? Is there any discussion of that? Commissioner Koskinen. As I say, we have had and now have a much more formal partnership and working relationship with States, with tax administrators. We are sharing information. We are trying to provide them as much assistance as we can about what we know. As I say, this is no longer the problem of any individual organization. This is a systemic challenge across the entire economy. There is a website somebody sent me that had the indications that of the 25 cyber-attacks and data breaches in May alone, 25 around the world, we are just one of those 25. So we take it seriously. We need to deal with it aggressively. But we need to understand, it is in the context of a significant systemic set of attacks. Senator Carper. I think I heard you say, Commissioner Koskinen, describing the information that was included in the letters going out, I thought I heard you say the term ``IP PIN'' in one of your answers. Would you just elaborate on that, please? Commissioner Koskinen. Yes. An Identity Protection PIN is a separate 6-digit number that is given to taxpayers if they are the victims of identity theft which they use to file in addition to their Social Security Numbers. They will have their Social Security Number, because we can check that against W-2s. But on the 1040 there is a point where they will include their IP PIN. If the IP PIN does not appear, the return is not accepted. So it protects them against anyone filing a fraudulent return with their Social Security Number alone. Senator Carper. All right. Thank you. I know it is still early in the review process, but do you intend to reinstate the Get Transcript online application? And if so, how do you balance the need for additional security against the need for taxpayers to have a convenient means of gathering access to old returns? Commissioner Koskinen. Well, it is the conundrum we face in any of these applications. As I say, we had 23 million successful downloads. That is a lot of taxpayer service. We will not put it back up unless we are satisfied that the security is, in fact, appropriate. It does mean that it is going to be more difficult for taxpayers, and more of them will not be able to get through. Already some of them cannot get through the existing security measures. But again, I think taxpayers are in a position to understand that. We are looking at the lessons learned from this event. We are delving into at great length exactly how it happened, what could be done in the security issues to make it more difficult for it to happen, if not impossible. But as you know, it is a continual trade-off of trying to provide as much information as readily to taxpayers as we can, but at the same time protecting that data. Senator Carper. We have heard a fair amount today about upgrading the IRS's IT systems. Will the President's fiscal year budget request be sufficient, if it is met, to meet those needs? Or is that request from the President, from the administration, for 2016 just the beginning of a multiyear effort to upgrade your computer systems? Commissioner Koskinen. The President's budget would allow us to, in fact, make significant progress in 2016, but your point is well taken. We have been working on upgrading the system for some time. We are not going to be able to do it in 1 year. One of the things we are working on with the appropriators is to give them a longer-term view of what it actually takes both to upgrade the systems and also to provide secure, increased availability of information to taxpayers. Senator Carper. All right. We talked a moment ago about partnership and reaching out to the States and making sure that they learn from us at the Federal level, and maybe we can learn a few things from them to provide better protection against these attacks. Are there any other countries that we are communicating with that have thought through these problems and responded to these same kinds of challenges that we may be able to glean some helpful ideas from? Commissioner Koskinen. We are in contact--I belong to a group of the 43, in effect, largest tax administrators around the world. We seem, primarily because, I think, of the size of the economy and the attractiveness of it, to have more of these challenges than others. But security is on all of their minds. Those with a value-added tax have less concern about individual taxpayers, as noted in the earlier discussion. But we are sharing information particularly with the OECD countries. But as I say, thus far in the meetings I have had with them, we seem to be having more challenges as an economy as well as a tax administration system. Senator Carper. And a last question, if I could, Mr. Chairman, maybe of Inspector General George. A year or so ago a firm, I want to say it might have been--I am not sure of the name of the firm--but a U.S. firm that specializes in protection against cyber-attacks, a private firm--Mandiant. I think it was Mandiant. Someone did a fair amount of work on attacks emanating from China, and they actually drilled down and said, ``These are the folks, this is where they are located, these are the people who are actually launching these attacks against our country.'' The Chinese did not accept it very well, but I have not seen anything to refute the veracity of the assertions. I always like to focus on root causes. I like to focus on root causes, and I keep trying to figure out how do we go on a root-cause approach to deal with this issue, but it is just spreading. In our own family, we have been involved in a hack against the university that we are associated with, with our health care provider, now in this case with the issue at hand. So I like to say, the third time is the charm, I hope. I hope it is over. But my guess is it is not for us. But how do we go about the root cause of getting to this? Again, is there some way--everybody keeps saying it is coming from Russia, Russian criminal organizations. Is there not anything we can do about that? Mr. George. Well, if it is addressed to me, sir, I mean, Willie Sutton said, ``That is where the money is.'' And of course, having the world's largest economy, as the Commissioner suggested, you know, it attracts the bad guys. While I am not familiar with the study you just cited citing China as the source of a lot of these problems, on a number of the criminal investigations that have been completed by us, a lot of them did emanate from former Soviet republics-- Belarus and places like that. It is again, sir, just too many people who have too much time on their hands, and with their sophistication that relates to computers and networks and servers and the like, it is truly a challenge, and not just for the Internal Revenue Service. As has been stated before, both by the Commissioner and members of this panel, this is a Federal, State, local, global problem. And I do not see it ending any time soon, sir, because, just as soon as the IRS increases its security posture, the bad guys will increase their efforts to overcome those, and they have a lot of time on their hands. Senator Carper. Mr. Chairman, I would just say in closing, we spend a lot of time trying to focus on the symptoms of problems in all kinds of ways. We do not always focus on the root causes. And one of the things that it is important that we focus on is the symptoms and defending against these attacks in ways that have been discussed here today. But at the same time, we need to be thinking about root causes as well. And I am not sure how to do that, but we need to think about that. Thank you so much, and thanks to our witnesses. The Chairman. Thank you, Senator Carper. Senator Nelson? Senator Nelson. Mr. Chairman, these are numbers of confirmed tax-related identity theft victims: Florida, 334,962; Utah, 10,654; Delaware, 4,703. Senator Carper, you had 4,703 of your constituency who were victims of identity theft. Total U.S., D.C.: 1,889,736. If you include the U.S. territories and unconfirmed residents, we are talking about 2.75 million. Now, Mr. Chairman, we have had six hearings on identity theft, and yet we continue to bring in the IRS. We ought to take care of this by passing legislation. I filed legislation, you filed legislation. Your legislation has a lot of similarities with our legislation. We ought to get something moving. The Chairman. Let us get together and get it done. I agree with you. Senator Nelson. Excellent. The Chairman. All right. Senator Nelson. So put on the record, Mr. Commissioner, what tool would help you on this, which I think is in the legislation, but I suspect you want to get that out there on the record. Commissioner Koskinen. Yes. As we said earlier in the hearing, the legislation we have increasing support on the Hill for--we need to get information returns, particularly W-2s, earlier. We need to get them in January when employees get them so that we can, in fact, before we send out refunds, have a better chance of checking the return data. We also need to have authority to, in effect, use what are called hashtags with industry on those W-2s to make sure that the W-2s themselves are accurate. Criminals are now forming false corporations and generating false W-2s to go along with their fraudulent returns. We need to provide minimum standards for qualifications for education for tax preparers, which you have talked about in your bill. We need to increase the penalties for engaging in identity theft and refund fraud. Those are requests in our budget proposal. They are in your legislation. We are delighted to work with you and with the chairman to put together a final package that would give us additional tools. I would stress they will be important and very helpful, but as the Inspector General and I have both been saying, there is no magic silver bullet that tomorrow morning is going to put this all to an end. We need to continue to be vigilant. We will need to continue to do everything we can with our systems, with our security, with our monitoring of it. But clearly, the items that are contained in the legislative discussions you and the chairman have been having are going to be important. Senator Nelson. Okay. That is my point, Mr. Chairman, and-- -- The Chairman. Still, let us get together. Senator Nelson. Let us do it. And, Mr. Chairman, I became alerted to this--this is what is shocking. This was about 4 years ago. Street crime in Tampa, FL dropped--burglaries, auto thefts, muggings dropped--because the criminals suddenly realized: get a laptop, go in and create a false return, and get a refund. And it was all of a sudden too easy to get money. Now, it is a good thing that people's homes were not being burglarized, but nevertheless, people were being robbed. In this case, it is not only individuals who had a nightmare, by the way--and thanks to the IRS; you have helped us administratively once a taxpayer has a false return in their name--but then all of the other ID trauma that they go through getting back their ID. But it suddenly had a whole shift, and the taxpayers are paying because of this theft. So thank you, Mr. Chairman. The Chairman. Thank you, Senator. I want to thank Commissioner Koskinen and Inspector General George for appearing before the committee today, as well as all of the Senators who have participated. This has been a very interesting hearing for me. Commissioner Koskinen, three unrelated but important points before we wrap up. First, in recent months I have written to you regarding the reissuance of the proposed rule on political activity by tax- exempt organizations. You know how interested this committee is in this matter. Can you tell me when the IRS and Treasury Department will reissue the proposal? Commissioner Koskinen. If I had a crystal ball, I would be better at giving you that information. We have spent a lot of time, we had 160,000 responses we took very seriously. I personally have read over 1,200 pages of thoughtful responses. We are moving forward. My commitment has been that---- The Chairman. Keep me informed. Commissioner Koskinen. Yes. My commitment has been that we will keep you informed. You will not be surprised. We will keep you updated before we actually issue a proposal, and it will provide for 90 days of comment and a subsequent public hearing. So we do not want anybody to think we are rushing this. We are only going to do this once. We are not going to do it every 2 or 3 years. The Chairman. Well, I want to end that chapter of mistreatment of conservative groups--liberal groups. I do not care. It just should not happen, and I am counting on you to straighten it out. Commissioner Koskinen. Yes. As I have said, we want to have a rule that is clear, fair to everybody, easy to administer, and easy to operate a (c)(4) organization under so you do not have to worry about somebody second-guessing you in the future. The Chairman. That would be great. Second, in April, I wrote to Secretary Lew requesting documents relating to the 2013 political activity rule. He has declined that request, and I will be responding to him on the matter. Now, I wanted to give you notice that I will be sending a similar request to your agency, and I look forward to working with you on that in the near future. Finally, in April, I wrote to you regarding the IRS's spending on information technology, and I want to thank you for acknowledging my letter, and I look forward to receiving a thorough response as soon as possible, if you can. Commissioner Koskinen. It is a lot of data to pull together, but I think it will be very helpful because it does answer a range of very detailed questions about priorities, about our experience, how we monitor it all, and, with a little luck, we will get it to you very quickly. The Chairman. Well, thank you. I hope you are very lucky. I want to thank both of you very much. This has meant a lot that you would come up on such short notice. Any questions for the record should be submitted by no later than Tuesday, June 9th. With that, the hearing is adjourned. [Whereupon, at 11:56 a.m., the committee was adjourned.] A P P E N D I X Additional Material Submitted for the Record ---------- Prepared Statement of Hon. J. Russell George, Treasury Inspector General for Tax Administration, Department of the Treasury Chairman Hatch, Ranking Member Wyden, and Members of the Committee, thank you for the opportunity to testify on the data breach that occurred at the Internal Revenue Service (IRS). The Treasury Inspector General for Tax Administration, also known as ``TIGTA,'' is statutorily mandated to provide independent audit and investigative services necessary to improve the economy, efficiency, and effectiveness of the IRS. TIGTA's oversight activities are designed to identify high-risk systemic inefficiencies in IRS operations and to investigate exploited weaknesses in tax administration. TIGTA's role is critical in that we provide the American taxpayer with assurance that the approximately 91,000 \1\ IRS employees, who collected over $3.1 trillion in tax revenue, processed over 242 million tax returns and other forms, and issued $374 billion in tax refunds \2\ during Fiscal Year 2014, perform their duties in an effective and efficient manner while minimizing the risks of waste, fraud, or abuse. This includes investigating individuals who use the IRS as a means of furthering fraudulent, criminal activity that negatively impacts the operations of the IRS, as well as investigating allegations of serious misconduct by IRS employees and threats of violence against the IRS, its employees, and facilities. Over the past year, a significant part of our workload has been devoted to investigating scams that can negatively impact the integrity of tax administration. --------------------------------------------------------------------------- \1\ Total IRS staffing as of January 24, 2015. Included in the total are approximately 19,000 seasonal and part-time employees. \2\ IRS, Management's Discussion and Analysis, Fiscal Year 2014, page 2. --------------------------------------------------------------------------- overview of the recent irs data breach On May 26, 2015, the IRS announced that criminals had used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information onapproximately 100,000 tax accounts through the IRS's Get Transcript application.\3\ TIGTA's Office of Investigations continues to investigate this incident, coordinating with other Federal law enforcement agencies. We ask for patience while we gather the evidence we need to determine who is responsible for this intrusion so they can be brought to justice. In addition, the evidence we are gathering is also critically important for us to understand the impact on the victims as well as to document exactly how this happened so it can be prevented in the future. --------------------------------------------------------------------------- \3\ Information available on the Get Transcript application can include account transactions, line-by-line tax return information, and income reported to the IRS. According to reports we received from the IRS, which we have not yet validated, an individual or individuals succeeded in clearing an authentication process that required knowledge of information about the taxpayer, including Social Security information, date of birth, tax filing status, and street address. In addition, it appears that these third-parties had access to private personal information that allowed them to correctly answer questions which typically only the taxpayer would know. This type of information can be purchased from illicit --------------------------------------------------------------------------- sources or fee-based databases, or obtained from social media sites. The proliferation of data breaches reported in recent years and the types of information available on the Internet has resulted in a degradation of controls used to authenticate individuals accessing personal data in some systems. The expansion of e-commerce services often conflicts with the tenets of strict security standards. Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online also creates greater risk to an organization and provides more opportunities for exploitation by hackers and other fraudsters. In its most recent Strategic Plan,\4\ the IRS acknowledged that the current technology environment has raised taxpayers' expectations for online customer service interactions and it needs to meet these expectations. However, the risk for this type of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering taxpayers self-assisted interactive online tools. The Commissioner of Internal Revenue's vision is to provide taxpayers and tax professionals with electronic products and services that they desire to enable them to interact and communicate with the IRS. This includes more robust online services, based on the idea of accessing Government services anywhere, any time, on any device, in three to 5 years. For example, the IRS is acquiring software and contractor services for a Secure Messaging Pilot Program to be launched in Fiscal Year 2016 that will lay the foundation for a broader taxpayer digital communication rollout in the future. --------------------------------------------------------------------------- \4\ Internal Revenue Service Strategic Plan--FY 2014-2017 (IRS Publication 3744), pgs. 6-7 (June 2014). In addition to the IRS's Get Transcript application, the IRS also requires taxpayers to authenticate their identities for certain other services on its public Internet site or its toll-free customer service lines, which could also pose a risk for unauthorized access. In June 2014, the IRS established its Authentication Group to provide oversight and facilitate the development and implementation of authentication policies and processes across the IRS's business functions. Due to the significant risks in this area, we currently have an audit underway to assess the IRS's processes for authenticating taxpayers at the time tax returns are processed and when accessing IRS services.\5\ --------------------------------------------------------------------------- \5\ TIGTA, Audit No. 201440016, Efforts to Authenticate Individual Income Tax Return Filers Before Tax Returns Are Processed, report planned for August 2015. --------------------------------------------------------------------------- data security remains a top concern of tigta Since Fiscal Year 2011, TIGTA has designated the security of taxpayer data as the top concern facing the IRS based on the increased number and sophistication of threats to taxpayer information and the need for the IRS to better protect taxpayer data and improve its enterprise security program. In addition, the IRS has declared its Information Security program as a ``significant deficiency'' from a financial reporting standpoint, which means weaknesses in its internal control environment are important enough to merit the attention of those charged with IRS governance. To provide oversight of the IRS's Information Security program, TIGTA completes approximately seven audits each year on various security programs, systems, and solutions. As of March 2015, these audits have resulted in 44 recommendations that have yet to be implemented. While most of these recommendations are based on recent audits, there are 10 recommendations from five audits that are over three years old. In addition, the IRS has disagreed with 10 of 109 recommendations from 19 audits relating to security that we performed during the period of Fiscal Year 2012 through Fiscal Year 2014. We have identified a number of areas in which the IRS could better protect taxpayer data and improve its overall security posture. Most recently, we found two areas that did not meet the level of performance specified by the Office of Management and Budget and the Department of Homeland Security: (1) Identity and Access Management, and (2) Configuration Management.\6\ --------------------------------------------------------------------------- \6\ TIGTA, Ref. No. 2014-20-090, Treasury Inspector General for Tax Administration--Federal Information Security Management Act Report for Fiscal Year 2014 (Sept. 2014). Identity and Access Management ensures that only those with a business need are able to obtain access to IRS systems and data. However, we found that the IRS needs to fully implement unique user identification and authentication that complies with Department of Homeland Security directives, ensure that users are only granted access based on needs, ensure that user accounts are terminated when no longer --------------------------------------------------------------------------- required, and control the improper use of shared accounts. Configuration Management ensures that settings on IRS systems are maintained in an organized, secure, and approved manner, including timely updating patches to known security vulnerabilities. We found that the IRS needs to improve enterprise-wide processes for assessing configuration settings and vulnerabilities by means of automated scanning, timely remediating scan result deviations, timely installing software patches, and controlling changes to hardware and software configurations. Patch \7\ management is an important element in mitigating the security risks associated with known vulnerabilities to computer systems. This is critical to prevent intrusions by unauthorized individuals or entities. Due to its importance, TIGTA evaluated the effectiveness of the IRS security patch management process, which has been an ongoing challenge for the IRS.\8\ We found that the IRS has made progress in automating installation and monitoring in a large segment of its computers, but it has not yet implemented key patch management policies and procedures needed to ensure that all IRS systems are patched timely and operating securely. Any significant delays in patching software with critical vulnerabilities provides ample opportunity for persistent attackers to gain control over vulnerable computers and get access to the sensitive data the computer systems may contain, including taxpayer data. --------------------------------------------------------------------------- \7\ A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate computer for the flaw to be corrected. \8\ TIGTA, Ref. No. 2012-20-112, An Enterprise Approach Is Needed to Address the Security Risk of Unpatched Computers (Sept. 2012). We have also identified other areas that would improve the IRS's ability to defend its systems against cyber-attacks. Monitoring IRS networks 24 hours a day year-round for cyber-attacks and responding to various computer security incidents is the responsibility of the IRS's Computer Security Incident Response Center (CSIRC). TIGTA evaluated the effectiveness of the CSIRC at preventing, detecting, reporting, and responding to computer security incidents targeting IRS computers and data.\9\ We found that the CSIRC is effectively performing most of its responsibilities for preventing, detecting, and responding to computer security incidents. However, further improvements could be made. At the time of our review, the CSIRC's host-based intrusion detection system was not monitoring a significant percentage of IRS servers, which leaves that portion of the IRS network and data at risk. In addition, the CSIRC was not reporting all computer security incidents to the Department of the Treasury, as required. Finally, incident response policies, plans, and procedures were either nonexistent, inaccurate, or incomplete. --------------------------------------------------------------------------- \9\ TIGTA, Ref. No. 2012-20-019, The Computer Security Incident Response Center Is Effectively Performing Most of Its Responsibilities, but Further Improvements Are Needed (Mar. 2012). One of the Federal Government's latest security initiatives is the implementation of information security continuous monitoring, which is defined as maintaining ongoing, real-time awareness of information security, vulnerabilities, and threats to support organizational risk decisions. While the IRS has made progress and is in compliance with Department of Homeland Security and Department of the Treasury guidelines, we have found that, based on the large scale of the IRS's computer environment, a one-size-fits-all approach does not provide the best security for the IRS.\10\ --------------------------------------------------------------------------- \10\ TIGTA, Ref. No. 2014-20-083, The Internal Revenue Service Should Implement an Efficient Internal Information Security Continuous Monitoring Program That Meets Its Security Needs (Sept. 2014). We have also previously raised concerns over the remediation of security weaknesses identified in our audits. Management controls are a major part of managing an organization and provide reasonable assurance that organizational objectives are achieved. We have reviewed closed corrective actions to security weaknesses and findings reported by TIGTA and identified weak management controls in the IRS over its closed planned corrective actions for the security of systems involving taxpayer data.\11\ During our audit, TIGTA determined that eight (42 percent) of 19 planned corrective actions that were approved and closed by the IRS as fully implemented in response to reported security weaknesses from prior TIGTA audits were only partially implemented. --------------------------------------------------------------------------- \11\ TIGTA, Ref. No. 2013-20-117, Improved Controls Are Needed to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect Taxpayer Data (Sept. 2013). Management control also involves the use of risk-based decisions by IRS management to make an exception to its own policies and requirements based on suitable justification and a thorough assessment of evident and potential risks. For decisions related to the security of information systems, exceptions are allowed if meeting the requirement is: (1) not technically or operationally possible, or (2) not cost effective. We found that these risk-based decisions were not adequately tracked and documented. Without required supporting documentation, we could not determine why decisions were made and whether the information technology risks were appropriately accepted and approved.\12\ --------------------------------------------------------------------------- \12\ TIGTA, Ref. No. 2014-20-092, The Internal Revenue Service Does Not Adequately Manage Information Technology Security Risk-Based Decisions (Sept. 2014). --------------------------------------------------------------------------- attempts to defraud tax administration are increasing Due to its mission, the trillions of dollars that flow through the IRS each year, and the hundreds of millions of taxpayer data sets used and maintained by the IRS, the IRS is continuously under attack by criminals using the tax administration system for personal gain in various ways. These scams, and the methods used to perpetrate them, are constantly changing and require constant monitoring by the IRS. For at least the last decade, the IRS has provided the public with information about what it sees as the ``Dirty Dozen'' tax scams on its website. These scams range from offshore tax avoidance to fake charities, and inflated refund claims. Compiled annually, the ``Dirty Dozen'' lists a variety of common scams that taxpayers may encounter. In addition to the data breach discussed previously, two of the most pervasive frauds currently being perpetrated that impact tax administration are the phone impersonation scheme and identity theft. Phone Impersonation Scam The phone impersonation scam has proven to be so large that it is one of TIGTA's Office of Investigation's top priorities, and it has also landed at the top of the IRS's ``Dirty Dozen'' tax scams this year. It has proven to be a surprisingly effective and fast way to steal taxpayers' money, and in this fast-paced electronic environment, the money can be gone before the victims ever realize that they have been scammed. The number of complaints we have received about this scam makes it the largest, most pervasive impersonation scam in the history of our agency. It has claimed thousands of victims with reported losses totaling almost $19 million to date. We first started seeing concentrated reporting of these calls in August 2013. As the reporting continued through the fall, in October 2013 we started to specifically track this crime. To date, we have received hundreds of thousands of complaints about these calls. According to the victims, the scam artists made threatening statements and then demanded that the victims immediately put money on prepaid debit cards in order to avoid being arrested. The callers often warned the victims that if they hung up, local police would come to their homes to arrest them. The scammers may also send bogus IRS e-mails to support their scam. Those who fell for the scam withdrew thousands of dollars from their bank accounts and then purchased the prepaid debit cards as instructed by the callers. Once the prepaid debit cards were purchased, the perpetrators instructed the victims to call them back and read them the numbers on the prepaid card. By the time the victims realized they had been scammed, the perpetrators had negotiated the prepaid cards and the money was gone. To date, TIGTA has received over 525,000 reports of these calls. We continue to receive between 9,000 and 12,000 reports of these calls each week. As of May 25, 2015, 3,700 individuals have been victimized by this scam and have paid a total of almost $19 million, an average of approximately $5,100 per victim. The highest reported loss by one individual was over $500,000. In addition, 296 of these victims also provided sensitive identity information to these scammers. The perpetrators do not discriminate; they are calling people everywhere, of all income levels and backgrounds. Based on a review of the complaints we have received, we believe the calls are now being placed from more than one source. This scam is the subject of an ongoing multi-agency investigation. There is much that we are doing to apprehend the perpetrators, but TIGTA is not at liberty to disclose specifically what is being done as it may impede our ability to successfully bring these criminals to justice. I can tell you that it is a matter of high priority for law enforcement. However, there is much more that needs to be done, as these examples are part of a broader ring of scam artists operating beyond our borders. This is unfortunately similar to most of the cyber-crime we are seeing today--it is international in nature and committed by means of technology (e.g., in the case of the phone fraud scam, the use of Voice over Internet Protocol technology), and much of it originates from computers outside the United States. To further deceive their intended victims, by using this technology, the criminals create false telephone numbers that show up on the victim's caller ID system. For example, the criminals make it appear as though the calls are originating from Washington, DC or elsewhere in the United States. Identity Theft Another challenging area impacting tax administration is the growth in identity theft. At the same time the IRS is operating with a reduced budget, it continues to dedicate significant resources to detect and review potential identity theft tax returns as well as to assist victims. Resources have not been sufficient for the IRS to work identity theft cases dealing with refund fraud, which continues to be a concern. A critical component of preventing and combating identity theft refund fraud is the authentication of a taxpayer's identity at the time tax returns are processed. During the past several years, the IRS has continued to take steps to more effectively detect and prevent the issuance of fraudulent refunds resulting from identity theft tax return filings. The IRS reported that in Filing Season 2013, its efforts prevented between $22 billion and $24 billion in identity theft tax refunds from being issued.\13\ This is a result of the IRS's continued enhancement of filters used to detect tax returns that have a high likelihood of involving identity theft at the time the returns are processed. For example, the IRS used 11 filters in Processing Year (PY) 2012 to identify tax returns with a high likelihood of involving identity theft, compared to the 114 filters it used in PY 2014. The use of these filters assists the IRS in more effectively allocating its resources to address identity theft tax refund fraud. --------------------------------------------------------------------------- \13\ IRS Identity Theft Taxonomy, dated September 15, 2014, page 1. The IRS has also taken steps to more effectively prevent the filing of identity theft tax returns by locking the tax accounts of deceased individuals to prevent others from filing a tax return using their names and Social Security Numbers. The IRS has locked approximately 26.3 million taxpayer accounts between January 2011 and December 31, 2014. In addition, the IRS issues an Identity Protection Personal Identification Number (IP PIN) to any taxpayer who is a confirmed victim of identity theft or who has reported to the IRS that he or she could be at risk of identity theft. However, we reported that the IRS did not provide an IP PIN to 557,265 eligible taxpayers for Processing Year 2013.\14\ Once the IRS confirms the identity of a victim or ``at- risk'' taxpayer, the IRS will issue the taxpayer an IP PIN for use by the taxpayer when filing his or her tax return. The presence of a valid IP PIN on the tax return tells the IRS that the rightful taxpayer filed the tax return, thus reducing the need for the IRS to screen the tax return for potential identity theft. The IRS has issued more than 1.5 million IP PINs for PY 2015. --------------------------------------------------------------------------- \14\ TIGTA, Ref. No. 2014-40-086, Identity Protection Personal Identification Numbers Are Not Provided to All Eligible Taxpayers (Sept. 2014). Despite these improvements, the IRS recognizes that new identity theft patterns are constantly evolving and that consequently, it needs to adapt its detection and prevention processes. The IRS's own analysis estimates that identity thieves were successful in receiving over $5 --------------------------------------------------------------------------- billion in fraudulent tax refunds in Filing Season 2013. In summary, the IRS faces the daunting task of protecting its data and IT environment from the ever-changing and rapidly-evolving hacker world. This incident provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers, who are anonymous, persistent, and have access to vast amounts of personal data and knowledge. The IRS needs to be even more vigilant in protecting the confidentiality of sensitive taxpayer information. Otherwise, as shown by this incident, taxpayers can be exposed to the loss of privacy and to financial damages resulting from identity theft or other financial crimes. We at TIGTA are committed to our mission of ensuring an effective and efficient tax administration system and preventing, detecting, and deterring waste, fraud, and abuse. As such, we plan to provide continuing audit and investigative coverage of the IRS's efforts to effectively protect sensitive taxpayer data and investigate any instances of attempts to corrupt or otherwise interfere with tax administration. Chairman Hatch, Ranking Member Wyden, and members of the committee, thank you for the opportunity to share my view. ______ Questions Submitted for the Record to Hon. J. Russell George Question Submitted by Hon. Mark R. Warner Question. It is my understanding that third-party vendors have signed up with the IRS to access taxpayer transcripts via the Income Verification Express Service. What is the IRS doing to ensure that these third-party vendors that have signed up with the IRS to access taxpayer transcripts have appropriate safeguards in place and are not vulnerable to data breaches? Answer. In January 2011, we evaluated regulations and Income Verification Express Service (IVES) enrollment policies to ensure lenders, such as banks, and companies that specialize in making third- party requests for lenders (Income Verification Specialists) properly protect taxpayers' tax return information.\1\ At that time, we determined that the IRS did not have a screening process and did not define minimum requirements in the form of a user agreement to help ensure IVES Program participants meet minimum standards and protect tax return information. In addition, we found the IRS did not require IVES Program participants to maintain electronic security and not disclose the information they receive from the IRS to nonaffiliated third parties. --------------------------------------------------------------------------- \1\ TIGTA, Ref. No. 2011-40-014, The Income Verification Express Services Program Needs Improvements to Better Protect Tax Return Information (Jan. 2011). We recently performed a review to determine if the IVES and Return and Income Verification Services programs had adequate processes and procedures in place designed to prevent inadvertent disclosures of taxpayer information.\2\ The scope of this review was limited to the environment and processes under the IRS's direct control. We found that generally the appropriate controls were in place and that for Fiscal Years 2009 through 2013 approximately 118 million requests were processed and fewer than 800 inadvertent disclosure incidents were recorded. Our report recommendations related to how quickly disclosures should be reported, determining the method to document and fully report disclosures, ensuring quality review teams conduct all established tests, and ensuring that internal policies are properly updated to document the correct process for reporting inadvertent disclosures. --------------------------------------------------------------------------- \2\ TIGTA, Ref. No. 2015-IE-R004, Requests for Taxpayer Information Were Generally Processed Properly in the Return and Income Verification Services and the Income Verification Express Service Programs (Mar. 2015). On June 1, 2016, we became aware of a fraud scheme in which perpetrators obtained sensitive tax and other identifying information and are using that information to order tax transcripts using the Transcript Delivery System (TDS). We have initiated a review to evaluate this issue as well as the adequacy of TDS's processes and procedures to ensure only authorized users obtain access to taxpayer information.\3\ --------------------------------------------------------------------------- \3\ TIGTA, Audit No. 201640032, Review of the Transcript Delivery System, report planned for June 2017. ______ Questions Submitted by Hon. John Thune Question. I understand that based on TIGTA's audit of tax year 2012, you reported that there were 787,000 fraudulent tax returns that went undetected by the IRS. This is actually an improvement, down from 1.1 million years for tax year 2011. How would you assess the progress being made by the IRS in preventing identity-theft related tax fraud? What overall grade would you give the IRS in this area? Answer. The IRS continues to make significant improvements in its identification of identity theft tax returns at the time the returns are processed and before fraudulent tax refunds are released. For example, the IRS reports that in the 2013 Filing Season,\4\ it detected approximately $24.3 billion in identity theft refund fraud. However, the IRS also recognizes that new identity theft patterns are constantly evolving and, as such, it needs to continue to adapt its detection and prevention processes. Consequently, the IRS continues to expand its filters used to detect identity theft refund fraud at the time tax returns are processed. --------------------------------------------------------------------------- \4\ The period from January through mid-April when most individual income tax returns are filed. For example, the IRS used 11 filters in Processing Year 2012 to detect approximately 325,000 tax returns that prevented the issuance of approximately $2.2 billion in fraudulent tax refunds. In Processing Year \5\ 2014 as of September 30, 2014, the IRS increased its filters to 114 and detected 832,412 tax returns, preventing the issuance of approximately $5.5 billion in fraudulent tax refunds. According to the IRS, for Processing Year 2015, it has increased the number of filters to 196 and detected 306,708 tax returns, preventing the issuance of about $2.2 billion in fraudulent tax refunds as of May 31st, 2015. --------------------------------------------------------------------------- \5\ The calendar year in which the tax return or document is processed by the IRS. In addition, the IRS continues to expand the locking of tax accounts, which results in the rejection of an electronically filed (e- filed) tax return (i.e., the IRS will not accept the tax return for processing). A locked tax account also prevents paper-filed tax returns from posting to the Master File if the Social Security Number associated with the locked tax account is used to file a tax return. Between January 2011 and May 31, 2015, the IRS locked approximately 28.6 million taxpayer accounts of deceased individuals. For Processing Year 2015 as of May 31, 2015, the IRS stopped 18,996 processed tax returns with refunds totaling approximately $31.4 million from posting to the Master File using the account locks. Additionally, the IRS has rejected (i.e., did not accept for processing) 85,811 e-filed tax --------------------------------------------------------------------------- returns through the use of these locks. For the 2013 Filing Season, the IRS also developed and implemented a clustering filter tool in response to TIGTA's continued identification of large volumes of undetected potentially fraudulent tax returns for which tax refunds had been issued to the same address or deposited into the same bank account. Tax returns identified are withheld from processing until the IRS can verify the taxpayer's identity. For Filing Season 2015 as of May 2, 2015, the IRS reports that, using this tool, it has identified 201,373 tax returns and prevented the issuance of approximately $496.5 million in fraudulent tax refunds. Despite the improvements in identification of identity theft tax returns at the time the returns are processed and before fraudulent tax refunds are released, the IRS still does not have timely access to third-party income and withholding information. Most third-party income and withholding information is not received by the IRS until well after tax return filing begins. For example, the deadline for filing most information returns with the IRS is March 31st, yet taxpayers can begin filing their tax returns as early as mid-January. In its Fiscal Year 2015 Revenue Proposal, the IRS once again included a request for a legislative proposal to accelerate the deadline for filing third-party income and withholding information returns and eliminate the extended due date for electronically filed information returns. In continuing our assessment of the IRS's identification of fraudulent tax returns involving identity theft, we initiated a review in August 2015 to follow-up on the IRS's identity theft detection and prevention efforts, including assessing the IRS's efforts to quantify undetected identity theft through its Taxonomy project.\6\ The Taxonomy project aggregates the impact and loss of identity theft protection efforts across several IRS organizations and its goal is to achieve the level of precision and completeness required to provide critical strategic insights on identity theft affecting tax administration. We plan to issue our report by December 2016. --------------------------------------------------------------------------- \6\ TIGTA, Audit No. 201540001, Detection and Prevention of Identity Theft on Individual Tax Accounts--Follow-Up, report planned for Dec. 2016. Question. Mr. George, in your testimony you note that there are 44 recommendations by TIGTA to the IRS in the area of information security that the IRS has yet to implement. Do you believe that these are recommendations the IRS can implement within its current budget? Has --------------------------------------------------------------------------- the IRS made a commitment to TIGTA to implement these recommendations? Answer. We cannot definitively answer whether the IRS can implement our recommendations as it is up to the IRS to prioritize its planned corrective actions. As of June 15, 2015, the IRS reported that it had recently closed eight of the 44 recommendations cited in our testimony. Of the 36 remaining recommendations, the IRS indicated in its response to our report that the completion of corrective actions in response to two of these recommendations may be contingent on available funding: (1) identifying funding needed to support implementation of a Homeland Security Directive to require Personal Identity Verification card access to the IRS network and information systems;\7\ and (2) fully implementing software that will enable the IRS to identify where its most sensitive data are stored, who has access to the data, and where and by whom the data are sent to outside the IRS network.\8\ --------------------------------------------------------------------------- \7\ TIGTA, Ref. No. 2014-20-069, Progress Has Been Made; However, Significant Work Remains to Achieve Full Implementation of Homeland Security Presidential Directive (Sept. 2014). \8\ TIGTA, Ref. No. 2014-20-087, While the Data Loss Prevention Solution Is Being Developed, Stronger Oversight and Process Enhancements Are Needed for Timely Implementation Within Budget (Sept. 2014). As part of our audit process, the IRS can either agree or disagree with our audit recommendations. When it agrees, the IRS commits that they will correct the deficiency that we identified. In a prior audit, we assessed whether closed corrective actions to security weaknesses and findings reported by TIGTA had been fully implemented, validated, and documented as implemented.\9\ During our audit, we determined that eight (42 percent) of 19 corrective actions that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These corrective actions involved systems with taxpayer data. --------------------------------------------------------------------------- \9\ TIGTA, Ref. No. 2013-20-117, Improved Controls Are Needed to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect Taxpayer Data (Sept. 2013). On occasion, the IRS will disagree with our audit recommendations. In fact, during the last three fiscal years (Fiscal Years 2012 to 2014), the IRS disagreed with 10 of our 109 recommendations relating to --------------------------------------------------------------------------- information security in the following reports. Using SmartID Cards to Access Computer Systems Is Taking Longer Than Expected (Ref # 2012-20-115, dated September 28, 2012). The IRS disagreed with two of nine recommendations. Improvements Are Needed to Ensure the Effectiveness of the Privacy Impact Assessment Process (Ref # 2013-20-023, dated February 27, 2013). The IRS disagreed with two of 11 recommendations. Better Cost-Benefit Analysis and Security Considerations Are Needed for the Bring Your Own Device Pilot Project (Ref # 2013-20-108, dated September 24, 2013). The IRS disagreed with one of five recommendations. While Efforts Are Ongoing to Deploy A Secure Mechanism to Verify Taxpayer Identifies, the Public Still Cannot Access Their Tax Account Information Via the Internet (Ref # 2013-20-127, dated September 25, 2013). The IRS disagreed with one of four recommendations. Improved Controls Are Needed to Ensure All Planned Corrective Actions for Security-Related Weaknesses Are Fully Implemented to Protect Taxpayer Data (Ref # 2013-20-117, dated September 27, 2013). The IRS disagreed with one of six recommendations. Planning is Underway for the Enterprise-Wide Transition to Internet Protocol Version 6 but Further Actions Are Needed (Ref # 2014- 20-016, dated February 27, 2014). The IRS disagreed with two of seven recommendations. While the Data Loss Prevention Solution Is Being Developed, Stronger Oversight and Process Enhancements Are Needed for Timely Implementation Within Budget (Ref # 2014-20-087, dated September 22, 2014). The IRS disagreed with one of 12 recommendations. ______ Question Submitted by Hon. Thomas R. Carper Question. Please provide additional information on the cost of critical pay at the Internal Revenue Service (IRS). Answer. TIGTA determined that the extra salary costs of the Streamlined Critical Pay program totaled approximately $1.7 million over the period reviewed (Calendar Years 2010 through 2013). The average pay of the highest graded Senior Executive Service Positions (ES-6) was approximately $179,000 a year while the average pay for the Streamlined Critical Pay positions was $ 198,000. ______ Prepared Statement of Hon. Orrin G. Hatch, a U.S. Senator From Utah WASHINGTON--Senate Finance Committee Chairman Orrin Hatch (R-Utah) today delivered the following opening statement at a committee hearing regarding the data theft at the Internal Revenue Service (IRS) which compromised the private information of over 100,000 taxpayers: Our hearing today concerns recent revelations that the Internal Revenue Service was the target of an organized service breach aimed at roughly 200,000 taxpayer accounts. We understand that over 100,000 of these breaches were successful, with cyber-criminals obtaining confidential taxpayer information from the agency's Get Transcript application. In dealing with this breach here in the Senate, this Committee stands alone, having legislative jurisdiction over the Internal Revenue Code, oversight jurisdiction over the IRS, and wide-ranging abilities to conduct investigations dealing with individual taxpayer information. While I have raised questions in the past about the way the IRS prioritizes its spending, today's hearing is about finding out how criminals stole vast amounts of taxpayer information. Any questions regarding funding levels for the agency should wait until we have a complete understanding about what occurred. Before we turn to the technological issues, let's focus for a moment on the victims. Because of this breach, criminals were able to get personal information about roughly 104,000 taxpayers, potentially including Social Security Numbers, bank account numbers, and other sensitive information. These taxpayers, and their families, must now begin the long and difficult process of repairing their reputations. And they must do so with the knowledge that the thieves who stole their data will likely try to use it to perpetrate further fraud against them. Commissioner Koskinen, put simply, your agency has failed these taxpayers. This hearing is of utmost importance as we work to find out what individuals and organizations were behind this breach; discover how this breach occurred, and what steps the IRS might have taken to prevent it; find out what taxpayer information was compromised, and how this may affect both taxpayers and tax administration going forward; and determine what tools and resources are necessary to better protect taxpayers, catch cyber-criminals, and prevent this type of breach from being successful in the future. Most of all, we must pledge to work together to make sure that this type of breach does not happen again. The secure movement of information is the lifeblood of international commerce and a necessary predicate for efficient government administration. Unfortunately, this information is also highly valuable to criminals. We see it in the headlines nearly every week--a major insurance company, bank, or retailer, has its information security compromised and personal information or corporate data is stolen. Federal departments--especially defense related agencies--come under attack each and every day. The IRS is not, and will never be, exempted from this constant threat. In fact, there is reason to believe the IRS will be more frequently targeted in the future. After all, the IRS stores highly sensitive information on each and every American taxpayer, from individual taxpayers to large organizations and from mom and pop businesses to multinational corporations. The challenge of data security matters a great deal to every single taxpayer and will continue to be a central challenge to tax administration in the coming years. Of course, data security and the protection of taxpayer information are of the highest importance in the prevention of stolen identity refund fraud. Identity theft, and the resulting tax fraud, costs taxpayers billions of dollars every year, and, once it occurs, it can take months or years for a taxpayer to mitigate the damage. It was out of concern over stolen identity refund fraud that Ranking Member Wyden and I quietly launched an investigation earlier this year, requesting information and documents from the country's largest tax return preparers and debit card companies. We look forward to working with the IRS as we move forward with this investigation and consider policy changes. We also look forward to hearing the report from your preparer working groups, and the committee looks forward to weighing in on those matters in the near future. So I welcome our witnesses today, IRS Commissioner Koskinen and Inspector General George. Commissioner Koskinen, earlier this year, when I first welcomed you before the Committee as Chairman, I noted that I hoped it would be the beginning of a new chapter in the long, historic relationship between the Internal Revenue Service and the Senate Finance Committee. I said that because the issues before us are too great for that relationship to be anything but open, honest, and productive. Today's topic is a great example of why that relationship is so important. Cyber-threats will only continue to grow, and those types of threats go to the core of our voluntary tax system. We must work together to figure out what happened, what went wrong in allowing the breach to occur, and how we can prevent another successful attack from taking place in the future. Finally, I would like to acknowledge that today's hearing occurs during somewhat unusual circumstances. The issue before us is the subject of several recently opened investigations, including a criminal investigation conducted by TIGTA. I caution members of the committee to be sensitive to these investigations when asking questions of the witnesses, and be aware that they may not be able to provide full answers to every question in this public forum. In spite of these limitations, it is important to discuss this matter today as fully and candidly as possible. ______ Prepared Statement of Hon. John A. Koskinen, Commissioner, Internal Revenue Service Chairman Hatch, Ranking Member Wyden, and members of the committee, thank you for the opportunity to appear before you today to provide information on the recent unauthorized attempts to obtain taxpayer data through the IRS's Get Transcript online application. While we are continuing our in-depth analysis of what happened, the analysis thus far has found that the unauthorized attempts to request information from the Get Transcript application were complex and sophisticated in nature. These attempts were made using taxpayers' personal information already obtained from sources outside the IRS-- meaning the parties making the attempts had enough information to clear the Get Transcript application's multi-step authentication process. For now, our biggest concern is for the affected taxpayers, to make sure they are protected against fraud in the future. We recognize the severity of the situation for these taxpayers, and we are doing everything we can to help them. Securing our systems and protecting taxpayers' information is a top priority for the IRS. Even with our constrained resources as a result of cuts to our budget totaling $1.2 billion since 2010, we continue to devote significant time and attention to this challenge. At the same time, it is clear that criminals have been able to gather increasing amounts of personal data as the result of data breaches at sources outside the IRS, which makes protecting taxpayers increasingly challenging and difficult. The problem of personal data being stolen from sources outside the IRS to perpetrate tax refund fraud exploded from 2010 to 2012, and for a time overwhelmed law enforcement and the IRS. Since then, we have been making steady progress, both in terms of protecting against fraudulent refund claims and prosecuting those who engage in this crime. Over the past few years, almost 2,000 individuals were convicted in connection with refund fraud related to identity theft. The average prison sentence for identity theft-related tax refund fraud grew to 43 months in Fiscal Year (FY) 2014 from 38 months in FY 2013, with the longest sentence being 27 years. Additionally, as our processing filters have improved, we have also been able to stop more suspicious returns at the door, rather than accepting them for processing. This past filing season, our fraud filters stopped almost 3 million fraudulent returns before processing them, an increase of over 700,000 from the year before. But, even though we have been effective at stopping individuals perpetrating these crimes, we find that we are dealing more and more with organized crime syndicates here and around the world. At the same time, over the last several years, the IRS has been working to meet taxpayers' increasing demand for self-service and electronic service options by providing them with more web-based tools, to make their interactions with us simpler and easier. As part of that effort, we launched the Get Transcript online application in January 2014. Get Transcript allows taxpayers to view and print a copy of their prior-year tax information, also known as a transcript, in a matter of minutes. Prior to the introduction of this online tool, taxpayers had to wait 5 to 7 days after placing an order by phone or by mail to receive a paper transcript by mail. Taxpayers use tax transcript information for a variety of financial activities, such as verifying income when applying for a mortgage or student loan. To access Get Transcript, taxpayers must go through a multi-step authentication process to prove their identity, consistent with many organizations in the financial services industry. They must first submit personal information such as their Social Security Number (SSN), date of birth, tax filing status, and home address, as well as an e- mail address. The taxpayer then receives an e-mail from the Get Transcript system containing a confirmation code that they enter to access the application and request a transcript. Before the request is processed, the taxpayer must respond to several ``out-of-wallet'' questions--a customer authentication method that is standard within the financial services industry. The questions are designed to elicit information that only the taxpayer would normally know, such as the amount of their monthly mortgage or car payment. During the 2015 filing season, taxpayers used the Get Transcript application to successfully obtain approximately 23 million copies of their recently filed tax information. If this application had not existed and these taxpayers had to call or write us to order a transcript, it would have stretched our limited resources even further. That is important to note, given our limitations during the past filing season. We would have been much less efficient in providing taxpayer service, not to mention the additional burden placed on taxpayers. During the middle of May, our cyber-security team noticed unusual activity on the Get Transcript application. At the time, our team thought this might be a ``denial of service'' attack, where hackers try to disrupt a website's normal functioning. Our teams worked aggressively to look deeper into the situation during the following days, and ultimately uncovered questionable attempts to access the Get Transcript application. As a result, the IRS shut down the Get Transcript application on May 21st. The application will remain disabled until the IRS makes modifications and further strengthens security for the application. It should be noted that the third parties who made these unauthorized attempts to obtain tax account information did not attempt to gain access to the main IRS computer system that handles tax filing submissions. The main IRS computer system remains secure, as do other online IRS applications such as ``Where's My Refund?'' Unlike Get Transcript, the other online applications do not allow taxpayers to access their personal tax data. As they continued to investigate, our team determined that a total of approximately 200,000 suspicious attempts to gain access to taxpayer information on the Get Transcript application had been made between mid-February and mid-May. About 100,000 of the attempts were unsuccessful, with the parties making these attempts unable to work their way through the protections in place. But we know that the other 100,000 or so attempts to request information from the Get Transcript application between mid-February and mid-May were successful. We are analyzing what, if anything, was done with the personal information of these taxpayers obtained using the Get Transcript application, and have discovered the following: About 35,000 taxpayers had already filed their 2014 income tax returns before the unauthorized attempts at access. This means that these taxpayers' 2014 returns and refund claims were not affected by this fraudulent activity, because any fraudulent return subsequently filed in their names would be automatically rejected by our systems; For another 33,000, there is no record of any return having been filed in 2015. This could be the case for a number of reasons. For example, the SSNs associated with these individuals may belong to those who have no obligation to file, such as children, or anyone below the tax filing threshold; Unsuccessful attempts were made to file approximately 23,500 returns. These 23,500 returns were flagged by our fraud filters and stopped by our processing systems before refunds were issued; and Since this activity occurred, about 13,000 suspect returns were filed for tax year 2014 for which the IRS issued refunds. Refunds issued for these 13,000 suspect returns totaled about $39 million, and the average refund was approximately $3,000 per return. We are still determining how many of these returns were filed by the actual taxpayers and which were filed using stolen identities. We will work with any of these affected taxpayers who had fraudulent returns filed in their name. As I mentioned at the outset, our analysis thus far has found that the unauthorized attempts to access information using the Get Transcript application were complex and sophisticated in nature. These attempts were made using personal information already obtained from sources outside the IRS--meaning the parties making the attempts had enough information to clear the Get Transcript application's multi-step authentication process, including answers to the out-of-wallet questions. We believe it is possible that some of the attempts to access tax transcripts were made with an eye toward using the information to file fraudulent tax returns next year. For example, any prior-year return information criminals obtain would help them more easily craft seemingly authentic returns, making it more difficult for our filters to detect the fraudulent nature of the returns. As noted above, since we have already disabled Get Transcript, our biggest concern right now is for the affected taxpayers, to make sure they are protected against fraud in the future. We recognize the severity of the situation for these taxpayers, and have taken a number of immediate steps to assist the affected taxpayers in protecting their data against fraud that might be perpetrated against them. First, we have placed an identifier on the accounts of the roughly 200,000 affected taxpayers on our core tax account system to prevent someone else from filing a tax return in their name--both now and in future years. Second, we are in the process of writing to all 200,000 taxpayers to let them know that third parties appear to have gained access from outside the IRS to personal information such as their SSNs, in an attempt to obtain their tax information from the IRS. Although half of this group did not actually have their transcript accessed because those who were trying to gain this information failed the authentication tests, the IRS believes it is important to make these taxpayers aware that someone else has their personal data. We want them to be able to take steps to safeguard their data. Letters have already been sent to all of the approximately 100,000 taxpayers whose tax information was successfully obtained by unauthorized third parties. We are offering credit monitoring, at our expense, to this group of taxpayers. We strongly encourage people who receive this letter to take advantage of this offer. We are also giving them the opportunity to provide us with the authentication documentation necessary to obtain an Identity Protection Personal Identification Number (IP PIN). This will further safeguard their IRS accounts and help them avoid any problems filing returns in future years. As further analysis is done, we may uncover evidence that personal information of others, such as spouses and dependents of the taxpayers already identified, was also compromised, and we will take similar steps to protect those individuals. More broadly, the IRS continues to work to help taxpayers who have been victims of identity theft. For example, for the 2015 filing season, the IRS has issued IP PINs to 1.5 million taxpayers previously identified by the IRS as victims of identity theft. Also during this period, the IRS notified another 1.7 million taxpayers that they were eligible to visit IRS.gov and opt in to the IP PIN program. Meanwhile, taxpayers living in Florida, Georgia, and Washington, DC--three areas where there have been particularly high concentrations of identity- theft related refund fraud--are eligible to participate in a pilot where they can receive an IP PIN upon request, regardless of whether the IRS has identified them as a victim of identity theft. In terms of our investigative work on identity theft, it is important to note that our Criminal Investigation (CI) division has seen an increase in identity theft crime being perpetrated by organized crime syndicates. The IRS is working closely with law enforcement agencies in the U.S. and around the world to prosecute these criminals and protect taxpayers. But the fact remains that these cyber-criminals are increasingly sophisticated enemies, with access to substantial volumes of data on millions of people. For that reason, we recently held a sit-down meeting with the leaders of the tax software and payroll industries and state tax administrators, and agreed to build on our cooperative efforts of the past and find new ways to leverage this public-private partnership to help battle identity theft. The working groups that were formed out of this meeting have continued to meet, and later this month we expect to announce an agreement on short-term solutions to help better protect personal information in the upcoming tax filing season, and to continue to work on longer-term efforts to protect the integrity of the nation's tax system. One of the three working groups formed out of this meeting focuses on authentication. As criminals obtain more personal information, authentication protocols need to become more sophisticated, moving beyond information that used to be known only to individuals but now, in many cases, is readily available to criminal organizations from various sources. We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. The challenge will always be to keep up with, if not get ahead of, our enemies in this area. Congress has an important role to play here. Congress can help by approving the President's FY 2016 Budget request, which includes $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure. Along with providing adequate funding, lawmakers can help the IRS in the fight against refund fraud and identity theft by passing several important legislative proposals in the President's FY 2016 Budget proposal. A key item on this list is a proposal to accelerate information return filing dates. Under current law, most information returns, including Forms 1099 and 1098, must be filed with the IRS by February 28 of the year following the year for which the information is being reported, while Form W-2 must be filed with the Social Security Administration (SSA) by the last day of February. The due date for filing information returns with the IRS or SSA is generally extended until March 31st if the returns are filed electronically. The Budget proposal would require these information returns to be filed when copies of this information are provided to the taxpayers, generally by January 31st of the year following the year for which the information is being reported, which would assist the IRS in identifying fraudulent returns and reduce refund fraud related to identity theft. There are a number of other legislative proposals in the Administration's FY 2016 Budget that would also assist the IRS in its efforts to combat identity theft, including: giving Treasury and the IRS authority to require or permit employers to mask a portion of an employee's SSN on W-2s, which would make it more difficult for identity thieves to steal SSNs; adding tax-related offenses to the list of crimes in the Aggravated Identity Theft Statute, which would subject criminals convicted of tax-related identity theft crimes to longer sentences than those that apply under current law; and adding a $5,000 civil penalty to the Internal Revenue Code for tax-related identity theft cases, to provide an additional enforcement tool that could be used in conjunction with criminal prosecutions. Chairman Hatch, Ranking Member Wyden, and members of the committee, thank you again for the opportunity to provide information on the recent unauthorized attempts to obtain taxpayer data through the IRS's Get Transcript online application. This concludes my statement, and I would be happy to take your questions. ______ Questions Submitted for the Record to Hon. John A. Koskinen Questions Submitted by Hon. Dean Heller Question. The recent IRS data breach of 104,000 victims only emphasizes how tax schemes, such as identity theft and return preparer fraud, are on the rise. For the 2014 tax year, it is estimated there have been close to 2 million in confirmed tax related identity thefts. In my home state alone, there have been over 14,000 victims. These numbers are disturbing, but what is more upsetting is the complex and frustrating process that these innocent victims are put through. It is my understanding refunds can take almost a year to get back to the true taxpayer. For this recent data breach, how is the IRS addressing the affected taxpayers, especially the ones where a return had been illegally filed and a refund issued? Answer. We realize the importance of resolving cases involving identity theft quickly and efficiently, thus allowing taxpayers victimized by identity theft to receive their refunds as soon as possible and helping to reduce the risk that adverse enforcement actions will be taken against them. To that end, we continue to develop and implement new procedures to improve the service provided to identity theft victims. Due to the complexity of these situations, identity theft victim case resolution can be a time-consuming process. However, the IRS has successfully reduced the case-processing and resolution time for identity-theft cases to improve service to the taxpayer. During the past fiscal year, taxpayers who became identity theft victims had their situations resolved in roughly 120 days, far more quickly than in previous years, when cases could take over 300 days to resolve. The IRS continues to evaluate systems and processes to improve the taxpayer experience. The IRS continues to expand its outreach initiatives to provide taxpayers, return preparers, state tax agencies, and other stakeholders with the information they need to prevent tax-related identity theft and, when identity theft does occur, to resolve issues as quickly and efficiently as possible. We also partner with other federal agencies to further these outreach efforts. Ensuring the security of our systems and the protection of taxpayers and their information are top priorities. Even with our constrained resources over the past few years, we continue to devote significant time and attention to these challenges. Ongoing data breaches involving other companies and organizations, through which criminals have been able to gather increasing amounts of personal data, make it even more challenging and difficult to protect taxpayers. You asked how the IRS is addressing the taxpayers affected by the recent unauthorized-access incident involving the Get Transcript application. In May, the IRS determined unauthorized third parties already had sufficient information from a source outside the tax agency before accessing the Get Transcript application. This allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. When the IRS first identified the problem in May, we determined that these third parties with taxpayer-specific sensitive data from non-IRS sources had cleared the Get Transcript verification process on about 114,000 total attempts. In addition, it appeared at that time that third parties had made attempts that failed to pass the final verification step, meaning they were unable to access account information through the Get Transcript service. Since then, as part of the IRS's continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system. The new review identified an estimated additional 220,000 attempts where individuals with taxpayer- specific sensitive data cleared the Get Transcript verification process. The review also identified an additional 170,000 suspected attempts that failed to clear the authentication processes. The IRS mailed letters to all taxpayers identified in May and, later, we also mailed letters to the population identified in August as part of our continued analysis. To the taxpayers whose tax information was successfully obtained by unauthorized third parties, we are offering credit monitoring, at our expense. We strongly encourage the recipients of these letters to take advantage of the credit monitoring. We are also giving them the opportunity to provide us with the authentication documentation necessary to get an Identity Protection Personal Identification Number (IP PIN). This will further safeguard their IRS accounts and help them avoid any problems filing returns in future years. The IRS is marking all of the affected accounts with indicators that will help identify and prevent any fraudulent returns from being filed under those Social Security Numbers (SSN). The Get Transcript application was shut down in May, and the IRS continues to work on strengthening the system. In the meantime, taxpayers have several other options to obtain transcripts. The IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our systems. The matter remains under review by the Treasury Inspector General for Tax Administration as well as IRS Criminal Investigation. Question. I understand that the IRS is considering allowing these individuals to receive a secure PIN, also known as the IP PIN, as part of an IRS pilot program. Could a secure PIN be provided to all taxpayers? If not, why not? Answer. The Identity Protection Personal Identification Number (IP PIN) is one component of the IRS arsenal to combat identity theft and fraud. We have many other tools and solutions in use and under development to increase security of taxpayer data. We are conducting research and analysis to determine the feasibility of expanding the IP PIN program. Although additional expansion of the IP PIN program may help safeguard more taxpayers from tax-related identity theft and refund fraud, it would require a substantial investment of financial resources which are not available at this time. Question. Public trust is crucial to the IRS's success. I was disturbed to understand that a recent GAO report found that a number of weaknesses, to effectively protect taxpayers' confidentiality, integrity and availability of sensitive taxpayer data, had not been implemented. My understanding is that less than a third of changes were implemented remain open between the last GAO audit and this year. How can the committee or taxpayers have faith in the IRS, if significant deficiencies in internal controls are not being addressed? Follow-up when do you expect to have these weaknesses addressed? Answer. The security and privacy of taxpayer information and the integrity of our computer systems continue to be sound. Our Cyber- security program provides proactive defenses by implementing world- class security practices in planning, implementation, management, and operations involving people, process, and technologies. We continually monitor the security controls in our information systems and the environments in which those systems operate. We also maintain awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. We remain committed to our ongoing programs to manage the security risks in our IT infrastructure in accordance with industry standards and as required by the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology guidance, and we continue to decrease the number of our unresolved weaknesses. We are working diligently to address all of the findings identified by GAO. The IRS has submitted 31 of the 79 open findings to GAO for closure during the FY 2015 audit. Currently, up to 30 of the remaining open items are in progress and scheduled to be submitted to GAO for closure in FY 2016. The balance of the open findings are scheduled for closure by FY 2019. It should be noted that GAO's recommendations do not concern fundamental weaknesses in taxpayer-facing systems. Rather, they concern weaknesses in our controls for internal systems--that is, systems and data that are behind our portal and firewalls. These systems have less risk of experiencing security issues because they are not connected directly to the external internet. In addition, factors such as budget uncertainties, hiring freezes, skillset deficits, and complexities associated with our antiquated legacy environment, as well as cutbacks affecting our ability to update our infrastructure, must also be considered. Nonetheless, we continue to review and evaluate all of GAO's recommendations along with other outstanding recommendations in light of risk and security controls and processes currently in place. We are building corrective action plans where appropriate to address the recommendations, and we are prioritizing and addressing them as resources permit. Significant progress has been made in addressing these recommendations in areas where we are most vulnerable. Our efforts to install software patches for security vulnerabilities continue to improve with the implementation of newer releases of more efficient and effective patching tools. We are developing our enterprise-wide processes to deliver software patches across all of our environments. This extensive effort continues to improve our vulnerable systems and the timeliness of patching provided by our patching teams. These improvements have been realized in spite of increasing challenges such as more sophisticated attackers, increased system complexity in our environments, and loss of some of our most experienced staff. While some patch management activities may take longer than we would like due to funding reductions, resource constraints, and the complexity of our environments, we expect to address the GAO findings related to patch management in FY 2016 as we continue to improve the program. We are making steady progress in closing vulnerabilities and addressing GAO findings associated with passwords. We have implemented standards that create systemic fixes for common issues in creating employee and administrator passwords. We also conduct monthly vulnerability scanning to ensure systems compliance with the password policy. Although we have not had sufficient funding and capacity to implement the Homeland Security Presidential Directive (HSPD)-12 initiative as quickly as we would like, we are continuing to transition from using passwords to using the Personal Identity Verification (PIV) card for system sign-on for all users. This required substantial effort due to the number of systems that need updating, the advanced age of some of these systems, the complexity of system interactions, and the high cost to update them. We expect 100% of users with regular access privileges to be HSPD-12 ready by the end of FY 2016. We are enhancing our auditing and monitoring capabilities by dedicating our limited resources in this area to our highest risk systems. This will help us track security violations and confirm individual accountability. In FY 2014, we developed a risk-based prioritization strategy to align the schedules of systems needing audit trails. Since FY 2014, we have been dedicating significant financial resources to ensure all new systems are implemented with audit trails, and to expand the audit trails infrastructure capacity to support the new data collection. We have prioritized the audit trails findings in the GAO report and we expect that the systems documented in the report will be completed in FY 2016 and FY 2017. Question. The Committee held a hearing, earlier this year, on tax scams including identity theft, ``Protecting Taxpayers from Schemes and Scams during the 2015 Filing Season.'' Mr. Alley, the Commissioner of the Indiana Department of Revenue, stressed that the identity confirmation quiz was a significant and powerful tool to combat ID fraud. Has the IRS considered implementing a similar procedure such as this to reduce tax scams? Answer. The IRS currently uses an identity-confirmation quiz, called out-of-wallet questions, to authenticate taxpayers. The name refers to questions that would not be easily answerable with the information in a person's wallet if it were stolen. The IRS is reviewing multiple-authentication policy and capabilities in response to the unauthorized disclosures associated with the Get Transcript application. We are researching internal capabilities as well as those available from third parties through existing and planned contracts. These options include, but are not limited to: Third-party configuration changes to strengthen out-of-wallet questions; Internal IRS configuration updates to limit fraud and vulnerabilities to scripting attacks; Additional levels of assurance and authentication points; and Additional risk-based authentication capabilities. We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. The challenge will always be to keep up with, if not get ahead of, fraudsters in this area. Question. In Mr. Alley's testimony, he also focused on how the identity confirmation quiz is only part of a larger process to strategically focus on identity theft and refund fraud. This encompassed hiring additional talent, implementing new procedures and new IT systems and conducting a public relations campaign. What steps are the IRS taking to address identity theft? Answer. The IRS has a comprehensive and aggressive identity-theft strategy focused on preventing refund fraud, investigating these crimes, and assisting taxpayers victimized by identity thieves. We are also continuously conducting analysis and looking for ways to improve identity-theft detection. Because identity-theft criminals have significant resources to devote to these schemes, their methods are constantly evolving, forcing us to continually adjust our filters and processes accordingly. Realizing that we are only one stakeholder in the battle against identity theft, in March we organized a Security Summit that included representatives from the IRS, state tax agencies and private industry, such as software vendors, to work on collaborative solutions to combat fraud schemes. The Summit established a new public/private partnership effort to combat identify theft, refund fraud and protect the nation's taxpayers. In addition, participants reached agreement on several initiatives to address identity theft. These initiatives were announced on June 11, 2015. The agreement includes identifying new steps to validate taxpayer and tax return data at the time of filing. The effort will increase information sharing between industry and government. This public/private partnership is continuing to work on initiatives to be implemented in 2017 and beyond. In addition to victim assistance and outreach, the IRS's identity theft strategy also focuses on preventing refund fraud and investigating these crimes. Additional initiatives include these FY 2015 items: We now limit the number of tax refund deposits to a single account to three (3). Additional refunds to the same account are converted to paper checks. We believe this initiative has had a positive impact on our efforts to deter fraud and identity theft. We began receiving device ID information to identify potential identity theft or fraud. The device ID is the serial number (or fingerprint) of the device (for example, computer, smart phone, or tablet). The unique ID is transmitted as part of the electronically filed return via our existing transmission process and enables the IRS to associate fraudulent returns that are filed from the same device. In addition to the nearly 1.5 million taxpayers that are given an Identity Protection Personal Identification Number (IP PIN), we expanded the population eligible for IP PINs to taxpayers previously identified by the IRS as victims of identity theft. This allowed approximately 1.7 million more taxpayers to opt in to the IP PIN program. We continue to accelerate the use of more types of information returns to identify mismatches earlier. We provide phone, online and in person channels to enable taxpayers inadvertently caught up in our protective filters to validate their identity and have their return processed. We continue to implement new identity theft screening filters to improve our ability to spot false returns before we process them and issue refunds. The IRS also continues to collaborate with software companies and financial institutions to identify patterns, trends and schemes that affect refund returns. The IRS also has initiated additional collaboration with the Bureau of Fiscal Service (BFS) on multiple direct deposits and payments shared between government agencies in the development of the new Payment Processing System. This collaboration provides an opportunity for IRS and other government agencies to work through BFS to identify fraudulent payments, increase recovery opportunities, improve data access, and reduce time in extracting or analyzing information from multiple data sources. This will also afford the opportunity for IRS and BFS to collaborate on refunds that have made it through IRS systems but appear suspicious based upon additional information and data external to IRS. The BFS system is expected to be online in September 2016. In addition, Congress can help us in the fight against refund fraud and identity theft, by enacting several important legislative proposals in the President's FY 2016 Budget proposal, including the following: Acceleration of information return filing due dates. Under current law, most information returns, including Forms 1099 and 1098, must be filed with the IRS by February 28th of the year following the year for which the information is being reported, while Form W-2 must be filed with the Social Security Administration (SSA) by the last day of February. The due date for filing information returns with the IRS or SSA is generally extended until March 31st if the returns are filed electronically. The Budget proposal would require these information returns to be filed earlier, which would assist the IRS in identifying fraudulent returns and reduce refund fraud, including refund fraud related to identity theft. Correctible error authority. The IRS has authority in limited circumstances to identify certain computation or other irregularities on returns and automatically adjust the return for a taxpayer, colloquially known as ``math error authority.'' At various times, Congress has expanded this limited authority on a case-by-case basis to cover specific, newly enacted tax code amendments. The IRS would be able to significantly improve tax administration--including reducing improper payments and refund fraud as well as cutting down on the need for costly audits--if Congress were to enact the Budget proposal to replace the existing specific grants of this authority with more general authority covering computation errors and incorrect use of IRS tables. Congress could also help in this regard by creating a new category of ``correctable errors,'' allowing the IRS to fix errors in several specific situations, such as when a taxpayer's information does not match the data in certain government databases. To correct these errors today, IRS must open an audit, and we are limited in the number of audits we conduct by the resources available to engage with the taxpayer in the full audit process. Being able to correct certain mismatch errors would help with reducing some types of refund fraud. Authority to ensure minimum qualifications for return preparers. In the wake of court decisions striking down the IRS's authority to regulate unenrolled and unlicensed paid tax return preparers, Congress should enact the Budget proposal to provide the agency with explicit authority to ensure paid preparers maintain minimum qualifications. This authority would help promote high quality services from tax return preparers, reduce refund fraud, improve voluntary compliance, foster taxpayer confidence in the fairness of the tax system, and protect taxpayers from preparer errors. Expanded access to Directory of New Hires. Under current law, the IRS is permitted to access the Department of Health and Human Services' National Directory of New Hires only for purposes of enforcing the Earned Income Tax Credit and verifying employment reported on a tax return. The proposal would allow IRS access to the directory for tax administration purposes that include data matching, verification of taxpayer claims during return processing, preparation of substitute returns for non-compliant taxpayers, and identification of levy sources. There are a number of other legislative proposals in the Administration's FY 2016 Budget request that would also assist the IRS in its efforts to combat identity theft, including: giving Treasury and the IRS authority to require or permit employers to mask a portion of an employee's SSN on W-2s, which would make it more difficult for identity thieves to steal SSNs; adding tax-related offenses to the list of crimes in the Aggravated Identity Theft Statute, which would subject criminals convicted of tax-related identity theft crimes to longer sentences than those that apply under current law; and adding a $5,000 civil penalty to the Internal Revenue Code for tax-related identity theft cases, to provide an additional enforcement tool that could be used in conjunction with criminal prosecutions. It is important to note that these legislative proposals, while they would be very helpful, only would be partially effective in achieving their intended goals without adequate resources for the agency. With limited resources and information, the IRS currently is only able to review fewer than 5% of the 100 million returns that request a refund. If, prior to issuing refunds, the IRS had access to third-party documents for matching earlier in the filing season (e.g., W-2), we would be able to stop more refund fraud. With additional resources, the IRS could implement the following improvements to protect revenue and taxpayers: Expand the pre-refund filters and improve systemic coverage of potential ID Theft returns; Increase the number of analysts manually reviewing filing patterns to identify new suspicious patterns and react to newly submitted leads; and Improve service to victims of identity theft by increasing the number of IRS employees who manually review returns, contact taxpayers when needed, and make account adjustments for taxpayers affected by ID Theft. Question. During the summer of 2012, the IRS worked with an incumbent consulting firm to conduct tests of third-party, commercially available analytics to determine how well those solutions could detect and prevent fraudulent tax returns. What were the results of those tests and if they were successful, why have none of those solutions been implemented? Answer. In 2012, the IRS conducted a study to determine if third- party, commercially available analytics might improve identity theft protection beyond existing IRS Identity Theft (IDT) capabilities. Today, the IRS uses third-party data to facilitate validating identities and deterring ID theft fraud. For example, the Taxpayer Protection Program currently uses a third-party vendor's data to support ID Verify challenge questions used to authenticate taxpayers whose returns appear to be compromised by identity theft. In addition, the IRS is further partnering with industry to determine if new data sources and data elements can help IRS increase identity theft detection capabilities. Question. Does IRC 7216 need to be permanently amended to allow for the disclosure of limited filer information for the purposes of preventing fraudulent returns? Answer. Section 7216 does not require amendment to allow for the disclosure of limited filer information for purposes of preventing fraudulent returns. Regulations under section 7216 currently allow any disclosure of tax return information to an officer or employee of the IRS. Treas. Reg. Sec. 301.7216-2(b). They also allow disclosure of any tax return information to the proper Federal, State, or local officials to inform them of activities that may constitute a violation of any criminal law or to assist the investigation or prosecution of a violation of criminal law. Treas. Reg. Sec. 301.7216-2(q). Question. Has the IRS considered allowing consumers to opt into an alerting service that would notify them whenever a tax return has been filed using a consumer's personal information? Answer. Given current funding limitations, the IRS does not plan to implement an opt-in plan to notify a taxpayer whenever a tax return has been filed using a taxpayer's SSN or Individual Taxpayer Identification Number (ITIN). Currently, taxpayers are contacted when an individual tax return passes through IRS filters and is flagged for potential identity theft. ______ Questions Submitted by Hon. Debbie Stabenow Question. Over the last couple of years, we have seen several large data breaches involving tens of millions of customers: Target--40 million people, JPMorgan--76 million people, Home Depot--56 million people, Anthem--80 million people. The information stolen in the large data breaches is the kind of information that is then used to file false tax returns to obtain refunds, or, in this case, to access taxpayer information through the IRS. It emphasizes the need for greater security throughout the payment chain, before identity thieves get to the point of using stolen information to file false returns. As Commissioner of the IRS, you are limited in your ability to combat certain kinds of identity theft because you don't have control over the payment chain--identity thieves are using information that they have already obtained to file fraudulent returns. Can you tell us more about some of the steps that the IRS has been exploring to protect against fraudulent returns? Answer. The IRS has a comprehensive and aggressive identity theft strategy focused on preventing refund fraud, investigating these crimes, and assisting taxpayers victimized by identity thieves. We are also continuously conducting analysis and looking for ways to improve identity theft detection. Because identity theft criminals have significant resources to devote to these schemes, their methods are constantly evolving, forcing us to continually adjust our filters and processes accordingly. Realizing that we are only one participant in the battle against identity theft, we recently organized a Security Summit and invited representatives from state tax agencies and private industry, such as software vendors, to work on collaborative solutions to combat fraud schemes. In addition to victim assistance and outreach, the IRS's identity theft strategy also focuses on preventing refund fraud and investigating these crimes. Additional initiatives include these FY 2015 items: We now limit the number of tax refund deposits to a single account to three (3). Additional refunds to the same account are converted to paper checks. We believe this initiative has had a positive impact on our efforts to deter fraud and identity theft. We began receiving Device ID information to identify potential identity theft or fraud. The Device ID is the serial number (or fingerprint) of the device (for example, Computer, Smart Phone or Tablet). The unique ID is transmitted as part of the electronically filed return via our existing transmission process and enables the IRS to associate fraudulent returns that are filed from the same device. In addition to the nearly 1.5 million taxpayers that are given an Identity Protection Personal Identification Number (IP PIN), we expanded the population eligible to opt-in for IP PINs to taxpayers previously identified by the IRS as victims of identity theft. This allowed approximately 1.7 million more taxpayers to opt in to the IP PIN program. We continue to accelerate the use of more types of information returns to identify mismatches earlier. We provide phone, online and in person channels to enable those taxpayers, inadvertently caught up in our protective filters, to validate their identities and have their return processed. We continue to implement new identity theft screening filters to improve our ability to spot false returns before we process them and issue refunds. The IRS also continues to collaborate with software companies and financial institutions to identify patterns, trends and schemes that impact refund returns. The IRS also has initiated additional collaboration with the Bureau of Fiscal Service (BFS) on multiple direct deposits and payments shared between government agencies in the development of the new Payment Processing System. This collaboration provides an opportunity for IRS and other government agencies to work through BFS to identify fraudulent payments, increase recovery opportunities, improve data access, and reduce time in extracting or analyzing information from multiple data sources. This will also afford the opportunity for IRS and BFS to collaborate on refunds that have made it through IRS systems but appear suspicious based upon additional information and data external to IRS. The BFS system is expected to be online in September 2016. Question. Over the last few years, TIGTA and GAO have issued a number of reports on data security at the IRS, identifying a great many vulnerabilities and making recommendations for how those vulnerabilities might be addressed. While the IRS has made several efforts to implement recommendations and secure vulnerable information, follow-up reports suggest that many recommendations, those with which IRS agreed, remain unimplemented and many vulnerabilities still exist. Can you tell us more about the difficulties that the IRS has experienced in securing taxpayer data and protecting against fraud? Have any factors limited your ability to implement some of the measures you might want to take? Answer. The IRS is confident that its systems demonstrate high resistance to the normal daily cyber-attacks seen across government. However, there are no absolutes and, as with nearly all such current commercial cyber-defenses, it is very difficult to defend against sophisticated technologies. The IRS continues to devote scarce resources to cyber-security but after five years of cuts to our budget, it is currently much more challenging for the IRS to continuously stay ahead of evolving threats to its cyber-security. The IRS has been storing taxpayer data in digital form since 1970 and has a strong culture of protecting this data. Currently, the IRS takes a very aggressive approach to protecting taxpayer data through: restrictions on internet access; encryption of taxpayer data for any transmission externally; content filtering and strict firewall policies; and network security monitoring. In fact, the IRS has developed a Cyber-security Strategy that is focused on managing information security risk on a continuous basis; monitoring the security controls in IRS information systems and the environments in which those systems operate on an ongoing basis; and maintaining ongoing awareness of information security, vulnerabilities and threats. The critical risk to continuing to implement this strategy is not the sophistication or frequency of cyber-attacks, but instead is the IRS's current budget situation which has resulted in the reduction of Cyber-security staff and the inability to fill vacant positions. These skill sets and talents are under high demand across both the public and private sectors. The IRS's Cyber-security staff is currently 356 personnel, which is down from its high of 408 employees in FY 2012. The inability to hire and retain certified Cyber-security staff prevents the IRS from sustaining its vigilance against cyber-attack. This creates a capacity issue within cyber-security, where there are simply too many priorities and not enough time and resources to do all the work that needs to be done. In this situation, even high risk initiatives are put on hold, which is certainly not optimal with a mission as critical as the IRS. The IRS's current budget situation is also hampering our ability to modernize our antiquated systems and keep current our IT infrastructure, which is thwarting progress in implementing security controls and protecting us against today's cyber-attacks. For example, the design and logic of many of our IT systems dates back to the 1960s, and those systems simply do not support protective measures recommended by GAO and others that are needed in today's technological environment. Similarly, many of our off-the-shelf applications are running on older, less secure versions, and some are even reaching end-of-life and are no longer supported by the software companies, meaning they are no longer receiving security and other patches to ward off cyber-attacks and performance issues. Funding has clearly limited IRS's ability to improve data security. As explained further in response to the next question, fully funding the IRS's information-security operations at the levels specified in the President's FY 2016 Budget request would allow for significant improvements in data security at the IRS. Question. Year after year, Congress has cut the budget of the IRS while asking you to take on more responsibility. We've given you less money and fewer employees with which to protect the information of so many millions of taxpayers across the country. Some of my colleagues are fond of the saying: when you tax something you get less of it. However, I would point out that when you pay for less of something, you get less of it. When you pay less for data security, you get less data security. It's a pretty straightforward concept, but unfortunately, here we are, after five years of cutting the IRS budget, being concerned about why more resources weren't put into data security. Commissioner Koskinen, if this Committee and this Congress would give you more tools to combat this sort of data breach and the money to implement those tools, could you improve data security at the IRS? Answer. Yes. Additional data security tools, and funding for people, processes and technologies to implement those tools, would allow for significant improvements in data security at the IRS. Congress can help by approving the President's FY 2016 Budget request for the IRS. The IRS budget includes $281 million (including 1,270 Full Time Equivalents (FTE)) specifically devoted to combating stolen identity refund fraud, cyber-security enhancements and related activities. This amount includes: $65 million to provide secure digital communications for taxpayers and provide leading-edge technologies to protect U.S. Treasury revenue through use of the IRS Return Review Program as well as advance IRS effectiveness in detecting, addressing, and preventing tax refund fraud; $42.6 million to enhance investigations of transnational organized crime; $40.7 million to address international and offshore compliance issues; $17.2 million to pursue employment tax and abusive tax schemes; and $8.2 million to improve taxpayer services through e-file authentication and mailing address data verification. The budget also includes $188 million (including 157 FTE) for critical information technology infrastructure that will help ensure taxpayer data remains safe. In FY 2017, the IRS will continue its commitment to taxpayers by building a new era of tax administration that will feature, among other priorities, stronger foundational capabilities and greater protection for the accounts of America's taxpayers. Additional funding will allow us to make these investments to strengthen cyber-defense and prevent identity theft and refund fraud by investing in technology and workforce skills that will allow for timely risk assessments, efficient analysis of vast volumes of data, and quicker reaction times to potential risks and incidents. Data breaches and identity theft place a huge burden on their victims and present a challenge to businesses, organizations, and the IRS. The IRS is making progress against these crimes, but in the absence of sufficient resources and tools, these problems will continue and only compound over time. Question. A number of my colleagues, including the Chairman and Ranking Member, Senator Nelson, and others, have introduced legislation addressing identity theft. The Individual Tax Reform Working Group, of which I am a co-chair, has been looking at identity theft and other tax administration issues. I hear from constituents who have fraudulent returns filed in their names, or whose family members are victimized by scammers, with very serious consequences and even heartbreaking consequences. I hope that we will take up some of these proposals to prevent these issues in the near future. Are there specific tools or proposals that would be especially helpful to you in efforts to prevent identity theft? Answer. Congress can help us in the fight against refund fraud and identity theft by passing several important legislative proposals in the President's FY 2016 Budget proposal, including the following: Acceleration of information return filing due dates. Under current law, most information returns, including Forms 1099 and 1098, must be filed with the IRS by February 28 of the year following the year for which the information is being reported, while Form W-2 must be filed with the Social Security Administration (SSA) by the last day of February. The due date for filing information returns with the IRS or SSA is generally extended until March 31 if the returns are filed electronically. The Budget proposal would require these information returns to be filed earlier, which would assist the IRS in identifying fraudulent returns and reduce refund fraud, including refund fraud related to identity theft. Correctible error authority. The IRS has authority in limited circumstances to identify certain computation or other irregularities on returns and automatically adjust the return for a taxpayer, colloquially known as ``math error authority.'' At various times, Congress has expanded this limited authority on a case-by-case basis to cover specific, newly enacted tax code amendments. The IRS would be able to significantly improve tax administration--including reducing improper payments and refund fraud as well as reducing costly audits-- if Congress were to enact the Budget proposal to replace the existing specific grants of this authority with more general authority covering computation errors and incorrect use of IRS tables. Congress could also help in this regard by creating a new category of ``correctible errors,'' allowing the IRS to fix errors in several specific situations, such as when a taxpayer's information does not match the data in certain government databases. To correct these errors today, IRS must open an audit, and we are limited in the number of audits we conduct by the resources available to engage with the taxpayer in the full audit process. Being able to correct certain mismatch errors would help with reducing some types of refund fraud. Authority to regulate return preparers. In the wake of court decisions striking down the IRS's authority to ensure unenrolled and unlicensed paid tax return preparers maintain minimum standards of competency, Congress should enact the Budget proposal to provide the agency with explicit authority to ensure all paid preparers maintain minimum standards. This legislation would help promote high quality services from tax return preparers and reduce refund fraud, improve voluntary compliance, foster taxpayer confidence in the fairness of the tax system, and protect taxpayers from preparer errors Expanded access to Directory of New Hires. Under current law, the IRS is permitted to access the Department of Health and Human Services' National Directory of New Hires only for purposes of enforcing the Earned Income Tax Credit and verifying employment reported on a tax return. The proposal would allow IRS access to the directory for tax administration purposes that include data matching, verification of taxpayer claims during return processing, preparation of substitute returns for non-compliant taxpayers, and identification of levy sources. There are a number of other legislative proposals in the Administration's FY 2016 Budget request that would also assist the IRS in its efforts to combat identity theft, including: giving Treasury and the IRS authority to require or permit employers to mask a portion of an employee's SSN on W-2s, which would make it more difficult for identity thieves to steal SSNs; adding tax-related offenses to the list of crimes in the Aggravated Identity Theft Statute, which would subject criminals convicted of tax-related identity theft crimes to longer sentences than those that apply under current law; and adding a $5,000 civil penalty to the Internal Revenue Code for tax-related identity theft cases, to provide an additional enforcement tool that could be used in conjunction with criminal prosecutions. It is important to note that these legislative proposals, while they would be very helpful, only would be partially effective in achieving their intended goals without adequate resources for the agency. With limited resources and information, the IRS currently is only able to review fewer than 5% of the 100 million returns that request a refund. If, prior to issuing refunds, the IRS had access to third-party documents for matching earlier in the filing season (e.g., W-2), the IRS would be able to identify fraudulent returns for which there were no matching information returns. This would help reduce refund fraud, including refund fraud related to identity theft. With additional resources, the IRS could implement the following improvements to protect revenue and taxpayers: Expand the pre-refund filters and improve systemic coverage of potential ID Theft returns; Increase the number of analysts manually reviewing filing patterns to identify new suspicious patterns and react to newly submitted leads; and Improve service to victims of identity theft by increasing the number of IRS employees who manually review returns, contact taxpayers when needed, and make account adjustments for taxpayers affected by ID Theft. ______ Questions Submitted by Hon. Mark R. Warner Question. Commissioner Koskinen, based on your testimony, taxpayers used the Get Transcript application to successfully obtain over 20 million copies of their recently filed tax information. In previous statements, you have also mentioned that the ``Where's my Refund?'' application has been hugely successful. What does the IRS consider when balancing the availability of these services with protecting taxpayer's personally identifiable information? Answer. In accordance with the National Institute Standards and Technology (NIST), the IRS has implemented a holistic, organization- wide Cyber-security risk management process with the principal goal of protecting the IRS organization and the ability to perform the IRS mission. The Cyber-security risk management process is treated as an essential management function of the organization balancing the assessment of management, operational, and technical controls to protect IRS systems. This approach includes applying NIST and Federal Information Security Management Act (FISMA) guidelines in identifying appropriate levels of identity proofing and authentication needed to protect IRS data and systems from identity and cyber-thieves. We developed our on-line services to facilitate taxpayers' increasing demand for self-service and electronic service options by providing them with more web-based tools, to make their interactions with us simpler and easier. As part of that effort, we launched an updated version of the Where's My Refund (WMR) application for the 2003 filing season and the Get Transcript online application in January 2014. WMR enables taxpayers to check the status of their refund online or through their mobile device. Get Transcript allows taxpayers to view and print a copy of their prior-year tax information, also known as a transcript, in a matter of minutes. Prior to the introduction of this online tool, taxpayers had to wait five to seven days after placing an order by phone or by mail to receive a paper transcript by mail. Taxpayers use tax transcript information for a variety of financial activities, such as verifying income when applying for a mortgage or student loan. During the 2015 filing season through May 22, 2015, taxpayers used WMR more than 217 million times. Without the WMR application, these contacts would have been driven primarily to our telephone application during a time when less than 40% of taxpayer calls were being answered. Before the Get Transcript application was shut down for security reasons, taxpayers had used that application to successfully obtain approximately 23 million copies of their recently filed tax information during the 2015 filing season. If this application had not existed and these taxpayers had to call or write us to order a transcript, it would have stretched our limited resources even further. That point is important to note, given our limitations during the past filing season. We would have been much less efficient in providing taxpayer service, not to mention the additional burden placed on taxpayers. The IRS considers many factors in making decisions around the appropriate level of identity proofing and authentication. Striking the right balance between a high level of confidence that the data and application are secure, and the ability of legitimate taxpayers to execute the authentication process and use the services, requires the IRS to make risk-based decisions. Today, striking the right balance between ease of access for legitimate taxpayers and protection of their data is an increasing challenge. As criminals obtain more personal information, authentication protocols need to become more sophisticated, moving beyond information that used to be known only to individuals but now, in many cases, is readily available to criminal organizations from various sources. The IRS continues to scrutinize and strengthen our authentication processes. In March 2015, we held a sit-down meeting with the leaders of the tax software and payroll industries and state tax administrators. We agreed to build on our cooperative efforts of the past and find new ways to leverage this public-private partnership to help battle identity theft. We formed three working groups, one focusing on authentication, that continue to meet. They have agreed on short-term solutions to help taxpayers in the next tax season, and continue to work on longer-term efforts to protect the integrity of the nation's tax system. We identified numerous new data elements that can be shared at the time a tax return is filed to detect stolen identity refund fraud. Some issues we're focusing on include: Reviewing the transmission of the return, including the improper or repetitive use of Internet Protocol numbers, and the Internet address from which the return is originating. Reviewing computer device identification data tied to the return's origin. Reviewing the time it takes to complete a return, so computer mechanized fraud can be detected. Capturing meta-data in the computer transaction that will allow review for fraud. This data will give us a stronger line of sight than ever before at the front end of the process and we believe this will help catch more bad returns immediately. We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. The challenge will always be to keep up with, if not get ahead of, fraudsters in this area. The eventual approaches to authentication may include a combination of continued IT investments as well as modified business processes. We continue to work with other federal agencies across government to identify best practices, leverage information and identify broader solutions. Ultimately, it is investment in our staffing and IT systems that will be critical to properly equipping the IRS to combat and prevent fraudulent and criminal activity. Question. Commissioner Koskinen, last month, I co-sponsored the Social Security Identity Defense Act of 2015 with Senators Johnson and Ayotte. This bill would require the IRS to notify an individual if the agency has reason to believe the individual's Social Security Number has been fraudulently used. It also requires that the IRS notify law enforcement and that the Social Security Administration notify employers who submit fraudulently used Social Security Numbers. In addition to this legislation, I have written to you on several occasions to understand what the IRS is doing to notify victims of tax- related identity theft. What steps is the IRS taking to notify victims of this recent attack, and what will you be doing in the future to protect their tax information? Answer. Ensuring the security of our systems and the protection of taxpayers and their information are top priorities. Even with our constrained resources over the past few years, we continue to devote significant time and attention to these challenges. Ongoing data breaches involving other companies and organizations, through which criminals have been able to gather increasing amounts of personal data, make it even more challenging and difficult to protect taxpayers. In May, the IRS determined unauthorized third parties already had sufficient information from a source outside the tax agency before accessing the Get Transcript application. This allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. When the IRS first identified the problem in May, we determined that these third parties with taxpayer-specific sensitive data from non-IRS sources had cleared the Get Transcript verification process on about 114,000 total attempts. In addition, it appeared at that time that third parties made another 111,000 attempts that failed to pass the final verification step, meaning they were unable to access account information through the Get Transcript service. Since then, as part of the IRS's continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system. The new review identified an estimated additional 220,000 attempts where individuals with taxpayer- specific sensitive data cleared the Get Transcript verification process. The review also identified an additional 170,000 suspected attempts that failed to clear the authentication processes. The IRS mailed letters to all taxpayers identified in May and later we also mailed letters to the population identified in August (as part of our continued analysis). To the taxpayers whose tax information was successfully obtained by unauthorized third parties, we are offering credit monitoring, at our expense. We strongly encourage the recipients of these letters to take advantage of the credit monitoring. We are also giving them the opportunity to provide us with the authentication documentation necessary to get an Identity Protection Personal Identification Number (IP PIN). This will further safeguard their IRS accounts and help them avoid any problems filing returns in future years. The IRS is marking all of the impacted accounts will indicators that will help identify and prevent any fraudulent returns from being filed under those SSNs. The Get Transcript application was shut down in May, and the IRS continues to work on strengthening the system. In the meantime, taxpayers have several other options to obtain transcripts. The IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our systems. The matter remains under review by the Treasury Inspector General for Tax Administration as well as IRS Criminal Investigation. Question. Commissioner Koskinen, the nation's economy and Americans' personal and financial information are increasingly under threat from cyber-attacks aimed at stealing personal data. In recent years, hundreds of millions of Americans have had their information compromised through high-profile breaches at Target, Neiman Marcus, Michaels, Home Depot, JPMorgan and Anthem. I am working on a proposal to create a comprehensive, nationwide and uniform data breach law that is consistently applied and enforced across industries, and requires minimum data security standards and consumer notification for breaches of financial data and other sensitive information. This recent theft at the IRS of over 100,000 taxpayer records by sophisticated attackers is yet another example of how stolen personal data can perpetuate an even larger fraud problem. What is the IRS doing to understand and react to the newest developments in cyber-security and data breach? Answer. Cyber-security is a primary component of the IRS's information technology infrastructure. We use a proactive, layered set of cyber-defenses, and we assess risks in our management approach. The IRS's policy is to assume that a penetration can occur, and so we focus on prevention, constantly assessing our digital defenses, seeking to detect intrusions rapidly, quarantining infections, and taking prompt counter measures. The IRS works closely with partners in the Federal Government, such as: the Treasury Department's Government Security Operations Center (GSOC); the Department of Homeland Security's (DHS) Computer Emergency Readiness Team (US-CERT) as well as DHS's Government Forum of Incident Response and Security Team (GFIRST); and the Treasury Inspector General for Tax Administration (TIGTA). While the IRS has a long history of successfully defending against attempts to steal taxpayer data, constant vigilance is needed, as the Get Transcript incident shows. Currently, the IRS takes a very aggressive approach to protecting taxpayer data by: restricting internet access; encryption of taxpayer data for any transmission externally; content filtering and strict firewall policies, and network security monitoring. In fact, the IRS has developed a Cyber-security Strategy that is focused on managing information security risk on a continuous basis; monitoring the security controls in IRS information systems and the environments in which those systems operate on an ongoing basis; and maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions. The critical risk to continuing to implement this strategy is not the sophistication or frequency of cyber-attacks, but instead is the IRS's current budget situation which has resulted in the reduction of Cyber-security staff and the inability to fill vacant positions. These skill sets and talents are under high demand across both the public and private sectors. The IRS's Cyber-security staff is currently 356 personnel, which is down from its high of 408 employees in FY 2012. The inability to hire and retain certified Cyber-security staff prevents the IRS from sustaining its vigilance against cyber- attack. In addition to addressing the cyber-security issues of today, the IRS is working to anticipate the challenges of evolving technology used by taxpayers. The IRS is currently trying to move to a more robust interactive web-based means of interacting with taxpayers. The American people have grown accustomed to instant financial exchanges with lenders, brokers, and banks. The IRS believes that delivering top quality service to America's taxpayers requires catching up to those expectations in order to operate seamlessly but securely in a digital and global environment. This evolution will increase cyber-security risks, requiring more resilience and protection of data. In response to the recent fraud incident referenced in your question, we are reviewing multiple authentication policies and capabilities with particular focus on updating our e-Authentication system for accessing a variety of online applications. The IRS is researching internal capabilities as well as those available from third parties through existing and planned contracts. These options include, but are not limited to: Internal IRS configuration updates to limit fraud and vulnerabilities to scripting attacks; Implementing the ability to add additional levels of assurance; Layering additional capabilities such as multi-factor authentication to complement assurance gained through taxpayer interactions; and Third-party configuration changes to improve and strengthen out-of-wallet questions for applications with the ability to use this type of authentication, such as online payment options. We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. The challenge will always be to get ahead of our enemies in this area. In addition to e-authentication improvements, the IRS also plans to enhance return filing by conducting the Processing Year W-2 Verification Code Pilot which will test the capability of a hash-based authentication code. The test will confirm the authenticity of Forms W- 2 data on a pilot population of e-filed Forms 1040. The pilot is one of multiple IRS efforts to develop capabilities for authenticating taxpayers, and taxpayer data, at the point of filing to prevent identity theft and first party refund fraud. And finally, Cyber-security and related initiatives submitted as part of the President's FY 2016 budget submission are specifically devoted to combating identity theft and refund fraud, as well as investing in critical information technology infrastructure. These initiatives will help enhance security in digital communications for taxpayers; provide leading-edge technologies to protect tax revenue through use of the IRS Return Review Program as well as advance IRS effectiveness in detecting, addressing, and preventing tax refund fraud; and improve taxpayer services with e-file authentication enhancements. Question. Commissioner Koskinen, it is my understanding that third- party vendors have signed up with the IRS to access taxpayer transcripts via the Income Verification Express Service. What is the IRS doing to ensure that these third-party vendors that have signed up with the IRS to access taxpayer transcripts have appropriate safeguards in place and are not vulnerable to data breaches? Answer. The IRS discloses return information to an Income Verification Express Services (IVES) participant pursuant to the taxpayer's authorization and request pursuant to Internal Revenue Code (IRC) section 6103(c). The taxpayer provides this authorization by completing and signing Form 4506-T, Request for Transcript of Tax Return. Form 4506-T includes this important statement to the taxpayer: Caution. If the tax transcript is being mailed to a third party, ensure that you have filled in lines 6 through 9 before signing. Sign and date the form once you have filled in these lines. Completing these steps helps to protect your privacy. Once the IRS discloses your tax transcript to the third party listed on line 5, the IRS has no control over what the third party does with the information. If you would like to limit the third party's authority to disclose your transcript information, you can specify this limitation in your written agreement with the third party. Once the IRS discloses the information to the IVES participant pursuant to a valid Form 4605-T authorization, the IRS generally has no legal control over what the third party does with the information. The IRS added a checkbox to Form 13803, IVES Applicant Agreement, listing additional limited use or non-disclosure restrictions. The checkbox states: By marking this box, you acknowledge that you have read Publication 4557, Safeguarding Taxpayer Data, and will abide by the guidelines of the publication. In addition, you agree to use the taxpayer information you receive only for the purpose(s) the taxpayer/requestor intended on the Form 4506-T. Failure to complete this box will result in the application being rejected and returned. By checking the box, each IVES applicant acknowledges these non- disclosure restrictions as a condition of participating in the program. In addition, Publication 4557 addresses the responsibility of non- government service providers to secure information systems and security systems in addition to facilities and personal security required. ______ Submitted by Hon. Pat Roberts, a U.S. Senator From Kansas The New York Times May 28, 2015 I.R.S. Data Breach May Be Sign of More Personalized Schemes By Patricia Cohen The plot to steal information on 100,000 taxpayers from the Internal Revenue Service and hijack nearly $50 million in refunds not only reveals a previous security breach but hints at a wider fraud that may bedevil Americans in the future. Some security and tax experts warned that this latest data theft might be a prelude to more targeted schemes aimed at duping taxpayers into handing millions of dollars over to criminals or to help thieves circumvent the agency's security filters next year and beyond. ``This breach is not just about what this single group is going to do with the information, but what happens when this information gets sold on the black market,'' said Peter Warren Singer, the author of ``Cybersecurity and Cyberwar: What Everyone Needs to Know.'' ``It's rare for the actual attackers to turn the information directly into money. They're stealing the data and selling it off to other people.'' It is almost impossible to find a business or government agency that has not had some kind of security breach, he noted. Millions of customers at companies like Target and the private insurer Anthem have had data compromised. And this year, TurboTax temporarily halted electronic filing of state income tax returns after seeing an uptick in attempts to use stolen information to file fraudulent returns and wrongly claim tax refunds. With the I.R.S., it was not the agency's own system that was hacked. Criminals had already obtained individuals' Social Security Numbers, addresses and birth dates and then used the information to trick the network and gain access to taxpayers' returns and filings through an application on the I.R.S. website. ``There was no identity theft within the I.R.S.'s actual system,'' said Aaron Blau, a tax expert in Tempe, AZ. ``These people already had all of this data. They could have used this information to call your bank, your doctor, your insurance carrier, and they would have gotten through 100 percent of the time. In this case they chose to use the I.R.S.'' Many Americans are being attacked more directly, Mr. Blau said. One popular scheme is to cold-call taxpayers and threaten them with prosecution if they do not immediately pay money supposedly owed to the I.R.S. by directing them to purchase a prepaid debit card and then transfer the money. Now, with more detailed information from returns, criminals could better target potential victims, and bolster their credibility with information stolen from taxpayer filings, Mr. Blau said. Reusable prepaid cards have become a magnet for fraud, according to law enforcement officials, with criminals often posing as bill collectors, government agents and others. Without more information about the individuals who were targeted, it is hard to know the endgame, said Marc Goodman, the author of ``Future Crimes.'' Mr. Goodman noted that previous security breaches had sometimes been used to embarrass politicians, celebrities or corporate figures, and tax returns would provide a rich source of personal information. Although some critics have been quick to condemn the I.R.S., several tax experts said using this episode to vilify the agency was unfair. ``The I.R.S. takes data, privacy and data security extremely seriously,'' said Edward Kleinbard, a professor of law at the University of Southern California and former staff director of the Joint Tax Committee of Congress. ``They do their best, but the resources arrayed against it have become increasingly well-funded and sophisticated, and the problems will only compound over time.'' William Gale, co-director of the tax policy center at the Brookings Institution, agreed that the issue extended beyond a single agency. ``I don't think this is an I.R.S. problem per se. It is facing the same problems that all the major data providers have.'' The I.R.S. has repeatedly said that protecting taxpayer information and combating fraud were priorities. Half of the attempted information thefts were rebuffed through a system of filters that are used to detect fraud, the agency said. Still, there is little debate that its efforts have been hampered by budget cuts. Just two months ago, an agency overseer issued what now seems to be a prescient warning. ``Resources have not been sufficient for the I.R.S. to work identity theft cases dealing with refund fraud, which continues to be a concern,'' J. Russell George, the Treasury Inspector General for Tax Administration, testified before a Senate subcommittee. The agency's budget has been cut by 17 percent over the last four years after taking inflation into account, and its work force, now at roughly 83,000, has been reduced by 12,000. This year, John A. Koskinen, the I.R.S. commissioner, warned that impending budget cuts would have devastating effects, including the delay of new protections against identity theft and refund fraud. Chuck Marr, director of federal tax policy at the Center on Budget and Policy Priorities in Washington, said that the agency has been starved for funds: ``The Congress has been targeting the I.R.S. for years.'' Nina E. Olson, who leads the Taxpayer Advocate Service, an independent office at the I.R.S., has criticized the agency for its handling of identity theft cases. In her annual report, she noted that victims often must ``navigate a labyrinth of I.R.S. operations and recount their experience time and again to different employees. Even when cases remain in one I.R.S. function, they may be transferred from one assistor to another with significant periods of non-activity.'' On average, the agency took nearly six months to resolve cases. She added that cases were also frequently closed prematurely, ``before all related issues have been fully addressed.'' Her office recommended that a single officer be assigned to handle each case. In an email, she spoke to a broader issue: ``While granting taxpayers enhanced access to their tax information remains a laudable goal, the overriding priority must be to protect taxpayers' confidential tax information from exposure.'' As for this most recent data theft, the I.R.S. urged taxpayers not to contact the agency, saying it would only delay the already overburdened staff. Anyone whose information was stolen will be contacted, the agency said. The best advice at this stage, Mr. Blau, the tax expert, said, is, ``Hurry up and wait.'' ______ Prepared Statement of Hon. Ron Wyden, a U.S. Senator From Oregon Three months ago, the Finance Committee met in a hearing on the latest ID theft and other scams plaguing taxpayers, and I said that wave of attacks sure looks to me like organized crime. Today, we meet after 104,000 tax returns have been hoovered up by what appears to be a sophisticated organized crime syndicate. This problem continues to spiral, with hackers targeting Federal agencies, State governments including Oregon's, and private companies alike to steal money and data. One recent report from the Department of Homeland Security said federal agencies' computer systems come under attack hundreds of times a day, tens of thousands of times a year. The investigation of the stolen tax returns is ongoing as of this morning. But once again, it seems the thieves are one step ahead of the authorities. They gained access to enormous amounts of personal data, which is up for purchase at extraordinary cost in the Internet's shadowy corners. These rip-off artists used that data to slip past the security filters at the IRS and steal taxpayers' most sensitive financial information. So in my view, it's fair to say that once again, this conduct fits the definition of organized crime. The thieves who steal taxpayer information could wipe out people's life savings and leave them in financial ruin. They could falsify tax returns next year or further down the road. They could take out huge, fraudulent home or student loans. And on a bigger scale, the money stolen in this cyber-crime wave could be funneled into more criminal activity. It could wind up in war zones. There's a possibility that it could fund acts of terrorism without being traced. Just like when the White House and the Department of Defense were targeted in the past, this was an attack on Americans' security. I will be very direct about what's needed here. To protect taxpayers from this onslaught of cyber-crime, the IRS needs a 21st-century IT system. This is not just a question of resources, and certainly it is not a lack of commitment from the IRS staff. It's also a question of expertise. The era of punch cards and paper forms ended long ago. Federal agencies like the IRS need to tap into the expertise of our leading web firms--the pros who serve not millions or tens of millions, but hundreds of millions of users. That expertise will allow the IRS to avoid the pitfalls of the past and to implement a 21st-century IT system that protects taxpayers' privacy, catches hackers and cheats, and funds the government as efficiently as possible. When that system is in place, Congress must step up and appropriate the funds necessary to manage it effectively. Legislators would not call for the DOD or White House security budgets to be slashed after cyber-attacks, but the IRS's security funding has been shrinking for years. No company would try to defend against modern cyber-criminals with technology that's 20 or 30 years old, but that's what the IRS is stuck using in the absence of the expertise and resources to serve the American taxpayer. Congress could also make sure the IRS has the information it needs to mount the strongest possible fight against fraudsters. If the IRS had access to the data on W-2 and 1099 forms from the very beginning of tax season, it would be much easier to catch fraudulent returns early and save taxpayers the nightmare of a stolen refund. Senator Hatch and I developed a bipartisan proposal to add an extra level of security by expanding the program that distributes unique passwords for individual taxpayers to use when they file. And when taxpayers do become victims of fraud, they should get more help undoing the damage quickly and restoring their credit. It should be clear to everybody that beefing up cyber-security at the IRS must be a top priority and draw on the tech expertise that exists in Oregon and in states across the country. So it's my hope that our hearing today will set aside politics and focus on fresh ideas of how to best protect taxpayers. [all]