IRS Accidentally Makes 120,000 Taxpayers’ Data Public
Names, contact information, and financial information—including organizational income data—were included in the accidental exposure. This information came from Form 990-T, which is typically filled out by those holding self-directed IRA or HSA accounts. The form is used to report various financial data including unrelated business income, income tax refunds, unrelated business income tax liability, and more. Once completed, Form 990-T houses a person’s or organization’s address, employer identification number, and income and tax amounts.
According to the Federal Information Security Modernization Act (FISMA) and other regulatory criteria, the IRS is required to inform Congress of data breaches affecting more than 100,000 individuals within seven days of the error’s discovery. IRS acting assistant secretary Anna Canfield Roth sent a letter to Congress complying with these requirements on Friday. While business contact information appears to have been made public, Roth reported the compromised information “did not include Social Security numbers, individual income information, detailed financial account data, or other sensitive information that could impact a taxpayer’s credit.”
The blunder was allegedly the result of a human coding error from last year, when Form 990-T was first eligible for electronic filing. As the form’s data was processed, confidential information was accidentally thrown in with public data, resulting in the whole lot being searchable and downloadable online. It wasn’t until the last few weeks that an in-house IRS researcher stumbled upon the error and initiated an investigation accordingly. The affected confidential data has since been removed, and those affected will receive notice from the IRS in the coming weeks.
Roth’s letter says the IRS will be reviewing its own practices to ensure it has safeguards in place that might prevent future unauthorized data disclosures. Should the IRS find any areas for improvement (and given its unfortunate history with data breaches, it probably will) it might find solace in the Inflation Reduction Act, which will bump up the agency’s budget by about $80 million over the next decade. IRS Commissioner Chuck Rettig has previously said the budget increase will help “meaningfully improve taxpayer service and technology.” For the 120,000 individuals affected by this security gaffe, that had better be the case.