The Treasury Inspector general for Tax Administration found that IRS employees sent taxpayers’ information to unencrypted email accounts.
According to the IG’s report, IRS employees put U.S. taxpayers at risk of identity theft by sending personally identifiable information to email accounts not protected by government security protocols.
The problem is especially bad in the IRS’s small business and self-employed division where, between May and June 2015, IRS workers sent 326 unencrypted emails containing sensitive information about 8,031 taxpayers.
Based on observations, the IG report estimates that IRS employees send around 1.1 million unprotected emails each year, giving hackers the ability to access sensitive information for more than 28 million taxpayers.
“The IRS has established penalties, ranging from admonishment to removal, for employees who send unencrypted emails with taxpayer personally identifiable information/tax return information; however, there was no evidence provided that these penalties were enforced,” the IG said. “Based on additional statistical analysis, we estimate that 3.9 percent of all small business/self-employed division employee emails contain one or more violations, with most being internal emails (3.3 percent).”
IRS officials say they are working to correct the problem.
“These communications are within the extensive protections of the IRS firewall, and pose a minimal risk of disclosure or access,” Karen Schiller, commissioner of the small business division, said in a statement. “But, nonetheless, we agree that encryption provides an added layer of protection.”