Senate Finance Committee Chairman Orrin Hatch has demanded the IRS provide details about how exactly hackers were able to steal tax information for more than 100,000 taxpayers.
"It is critical that this committee fully understand what took place, what information was at risk, how this may affect tax administration, and what appropriate legislative responses may be needed to reduce the risk of this occurring again," Hatch, R-Utah, said Wednesday in a letter to IRS Commissioner John Koskinen.
Hatch posed eight questions regarding the hack and asked the IRS to provide his committee with a confidential briefing no later than June 5.
The IRS announced on Tuesday that hackers, using previously stolen information, were able to impersonate taxpayers and breach the IRS "Get Transcript" system, allowing them to steal 104,000 old tax returns.
"Every year, the IRS collects more than 140 million individual tax returns, roughly 6 million corporate tax returns, and millions of sensitive information returns and other filings," Hatch wrote. "It is no exaggeration to say that the confidential taxpayer information your agency holds is of the utmost private nature for every single taxpayer in the United States."
Koskinen said Tuesday that the IRS believes the attack was conducted by an organized crime syndicate who likely wanted information that could help criminals file fake returns to steal tax refunds.
"Taxpayers must know that the information they send to the IRS is secure. And hackers who would steal that information must know that they will suffer severe consequences for their crimes," Hatch said in a statement Tuesday. "What's more, this agency has been repeatedly warned by top government watchdogs that its data-security systems are inadequate against the growing threat of international hackers and data thieves."
A Government Accountability Office (GAO) report from March warned that security vulnerabilities at the IRS allow former employees to continue to access Americans' sensitive financial information long after leaving the agency.
The GAO cited deficiencies in the security of IRS computer systems, which it said were still vulnerable to a number of security breaches, partially because the IRS used outdated software with security holes, leaving private taxpayer information vulnerable to hackers.
"Taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes," GAO said.
The IRS knew about the security flaws, even going so far as to purchase more secure systems and create new rules, but according to the GAO, the IRS "had not effectively implemented elements" of the new security systems.
"IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting," the GAO said.