IRS Leaks 120,000 Taxpayers' Personal Details

Written by

The US Internal Revenue Service (IRS) accidentally posted sensitive taxpayer data to its site, potentially putting those affected at risk of follow-on fraud.

The problem stemmed from the machine-readable (XML) Form 990-T.

“Form 990-T is the business tax return used by tax-exempt entities, including tax-exempt organizations, government entities and retirement accounts, to report and pay income tax on income that is generated from certain investments or income unrelated to their exempt purpose,” the IRS explained in a brief statement.

“The IRS is required to publicly disclose this information for 501(c)(3) organizations; however, similar information was inadvertently published for a subset of non-501(c)(3)s, which are not subject to public disclosure.”

According to a letter from the IRS to Congress seen by the Wall Street Journal, individual business names and business contact information were leaked in the privacy snafu. An estimated 120,000 individuals were impacted, passing the 100,000 figure which requires notification to lawmakers.

The IRS was at pains to point out that “the data did not include Social Security numbers, individual income information, detailed financial account data, or other sensitive information that could impact a taxpayer’s credit.”

However, it was reportedly left publicly available for a year, and resulted from a coding error that went undetected for months until an employee spotted the mistake.

“The IRS took immediate steps to address this issue. The files have been removed from and will be replaced with updated files in the near future,” the agency said.

“In addition, the IRS also will be working with groups that routinely use the files to remove the erroneous files and replace them with the correct versions as they become available. The IRS will contact all impacted filers in the coming weeks.”

More details about the incident should be forthcoming within the month. In the meantime, the Treasury has ordered the IRS to conduct a “prompt review of its practices” to ensure the right protections are in place to prevent something similar happening in the future.

What’s hot on Infosecurity Magazine?