Crapo, Grassley Question IRS Responsiveness over Data Breach

Source: United States Senator for Idaho Mike Crapo

August 10, 2021

Washington, D.C.–U.S. Senator Mike Crapo (R-Idaho), Ranking Member of the Senate Finance Committee, and U.S. Senator Chuck Grassley (R-Iowa), Ranking Member of the Judiciary Committee, asked Internal Revenue Service (IRS) Commissioner Charles Rettig for an update on the recent major potential data leak at the IRS, questioning whether the IRS has fulfilled its legal requirements under the Federal Information Security Modernization Act (FISMA) of 2014.

It has been months since the media outlet ProPublica first said it had obtained private taxpayer data, and the IRS has had more than two months to determine whether their systems had been breached by internal or external actors.  Crapo and Grassley ask Commissioner Rettig whether a breach has been discovered, and whether IRS and Treasury–to his knowledge–have fulfilled reporting responsibilities put forward in FISMA.  At a time when Democrats are proposing to have financial institutions monitor and report on bank and financial accounts of virtually all American taxpayers, it is imperative to know how and why private taxpayer information appears to have been exposed. 

From the letter:

“We still do not know whether IRS systems, which contain personal and sensitive information on Americans across the income, wealth, and political spectra, have been breached by internal or external hackers, though IRS systems analysts almost surely know by now.  The threats to Americans’ privacy and our national security that could result from theft and exploitation of such data are of extreme concern.” 

“Recall that in a very recent security breach at the Treasury Department, and suspected possible breach at the IRS, Congress was timely informed, in accord with FISMA requirements.  Specifically, toward the end of last year, numerous federal agencies were affected by security compromises associated with SolarWinds Orion products.” 

“In stark contrast, the Senate Finance Committee has not received reports from Treasury, the IRS, TIGTA, the Cybersecurity and Infrastructure Security Agency (CISA), or any other agency of government indicating whether or not there has or has not been a major information security incident in association with ProPublica’s claim to have obtained a vast trove of sensitive, private, and legally-protected data stemming from IRS files.”

Among other requirements, FISMA assigns responsibilities to federal agencies for reporting all security incidents, including major incidents, to committees of Congress not later than seven days after the date on which there is a “reasonable basis” to conclude that a major incident has occurred.  In the letter, the senators ask Commissioner Rettig a series of clarifying questions regarding its legal responsibilities related to the potential massive data leak.

Read the letter here or below: 

August 10, 2021

The Honorable Charles P. Rettig

Commissioner

Internal Revenue Service

1111 Constitution Avenue, NW

Washington, DC 20224

Dear Commissioner Rettig,

We are concerned about harms to Americans’ privacy, possible threats to national security, and an undermining of confidence in the self-reporting nature of our tax system stemming from a possible major data-security breach at the IRS.

Stories have been produced by ProPublica that apparently use sensitive, legally-protected, and private taxpayer information purportedly derived from Internal Revenue Service (IRS) files.  ProPublica’s claim it has obtained a “vast trove of Internal Revenue Service data on the tax returns of thousands” of Americans implies that there has been a major information security incident.

The veracity of ProPublica’s claims remain unknown, and we have not received responses to our requests for more information.  To our knowledge, there is no publicly available basis for determining whether innocent Americans, including law-abiding citizens of our home states, have had their private, legally-protected, and sensitive information leaked into the hands of journalists and activists, or obtained by foreign agents or others.

IRS systems analysts and others have had nearly two months to investigate. Yet, we still do not know whether IRS systems, which contain personal and sensitive information on Americans across the income, wealth, and political spectra, have been breached by internal or external hackers.  Americans deserve answers. The threats to Americans’ privacy and our national security that could result from theft and exploitation of such data are of extreme concern.

ProPublica’s claims raise different possibilities. One is that someone inside the IRS, including contractors or researchers, breached the legal protections afforded taxpayers’ private information and provided the information to outside individuals.  Another is that sophisticated outside hackers, possibly including hostile foreign actors, breached IRS systems to obtain private, legally-protected, and sensitive taxpayer information.

These two possibilities would involve a breach consistent with the definition of an “incident” contained in the Federal Information Security Modernization Act (FISMA) of 2014 (P.L 113-283).  Among other requirements, FISMA assigns responsibilities to federal agencies for reporting security incidents, including major incidents, to committees of Congress not later than seven days after the date on which there is a reasonable basis to conclude that a major incident has occurred.

The ProPublica claims of having obtained a vast trove of IRS data were first published on June 8, 2021, which curiously was immediately prior to a Senate Finance Committee hearing on the IRS’s fiscal year 2022 budget. The claim of possession of tax information of at least thousands of people provides a reasonable basis to conclude that a major incident might have occurred, posing imminent threats of violation of security policies, procedures, or acceptable data usage.

In a very recent breach of security at the Treasury Department, and suspected possible breach at the IRS, Congress was timely informed, in accord with FISMA requirements.  Specifically, in December of 2020, numerous federal agencies were affected by security compromises associated with SolarWinds Orion products.

The Treasury Department and IRS, including Chief Information Officers from each agency, responded promptly to the incident with reporting to congressional committees and briefings. This included timely responses to the Senate Finance Committee to, in part, assure that no private taxpayer information at the IRS had been breached.

Treasury and the IRS at the end of last year appear to have fully and timely complied with all reporting requirements and timelines called for in FISMA in association with the SolarWinds Orion incident.  In addition, in response to inquiries from Congress, the Treasury Inspector General for Tax Administration (TIGTA) subsequently confirmed on December 23, 2020, that no sensitive, private, and legally-protected taxpayer data appeared to have been exposed.

In stark contrast, the Senate Finance Committee has not received any reports from Treasury, the IRS, TIGTA, the Cybersecurity and Infrastructure Security Agency (CISA), or any other agency of government indicating whether or not there has been a major information security incident in association with ProPublica’s claim to have obtained a “vast trove” of sensitive, private, and legally-protected IRS data.

One inference from this inaction is that there has not been, in the assessment of the Treasury and IRS, an information security incident that should have been reported according to FISMA requirements.  This could mean that neither Treasury nor the IRS has discovered, to date, that there has been an internal or external hack of IRS systems that could have led to sensitive, legally-protected, and private taxpayer information ultimately finding its way to ProPublica.

Please respond to the following clarifying questions by August 24, 2021.

  1. Have Treasury and the IRS fulfilled all legal responsibilities, including those set forward in FISMA, for reporting any threat of a data breach (“incident”) to the Secretary of Homeland Security, CISA, or the Director of the Office of Management and Budget?
  2. Have Treasury and the IRS fulfilled all legal responsibilities, including those set forward in FISMA, for reporting to committees of jurisdiction, including the Senate Finance Committee?
  3. Is it true that neither Treasury nor the IRS have determined that there has been an internal or an external breach of systems that would lead to unlawful public revelation of sensitive, legally-protected, private taxpayer information?
  4. Has the IRS Computer Security and Incident Response Center identified any reason to believe there has been a breach of IRS systems that would lead to unlawful public revelation of sensitive, legally-protected, private taxpayer information?
  5. Please provide documentation of the criteria utilized by the IRS to determine whether an “incident” as defined by FISMA has occurred that would require reporting to Congress.

Sincerely,