IRS apology in Trump-related case reveals agency’s shoddy tax security

When an Internal Revenue Service contractor embarrassed the agency by leaking confidential information in 2019, attention focused on Donald Trump, who had broken presidential campaign tradition by not revealing his tax records.

But the potential damage went far beyond the president and a few other wealthy Americans whose IRS files were leaked to the New York Times and ProPublica. The leak fueled stories showing how Trump and other mega-wealthy Americans for years paid little or no income tax.

The theft also revealed the private tax data of more than 80,000 people and businesses. That further exposed long-standing IRS cybersecurity shortcomings, a problem plaguing much of government.

IRS officials, pushed by a lawsuit filed by Citadel CEO Kenneth Griffin, apologized to him and the other taxpayers through a news release last week.

“The Internal Revenue Service sincerely apologizes to Mr. Kenneth Griffin and the thousands of other Americans whose personal information was leaked to the press,” the statement said. “The agency believes that its actions and the resolution of this case will result in a stronger and more trustworthy process for safeguarding the personal information of all taxpayers.”

For Griffin, a billionaire Republican megadonor who took no money in the settlement, the case was about accountability, not damages. The leaked taxes showed that Griffin, far from a tax dodger, was the second-largest tax payer in the country from 2013 to 2018.

His statement said he is “grateful to my team for securing an outcome that will better protect American taxpayers and that will ultimately benefit all Americans.”

The IRS confirmed to The Washington Post that 80,000 people and businesses have been affected by the leak, but did not include that figure in its announcement. Although the IRS informed victims through letters that their information was compromised, the apology was communicated only through the news release.

In May, the agency told affected taxpayers that “we do not know—at least not at this point—the full scope of the specific information that Mr. Littlejohn unlawfully disclosed” and that there was “no indication thus far that any of this information” was illegally shared beyond the two news organizations.

When Charles P. Rettig was IRS commissioner two years ago, he downplayed the notion that the tax data was stolen from the agency. He told the Senate Finance Committee there was no indication “that it was actually stolen from the IRS.” Now, after being pressed to do the right thing, the apology from the IRS “acknowledges that it failed to prevent Mr. Littlejohn’s criminal conduct and unlawful disclosure of Mr. Griffin’s confidential data.”

The apology comes after the January sentencing of Charles E. Littlejohn, a former IRS contractor in the District, to five years in prison for leaking the documents. His testimony in the lawsuit reveals how raggedy IRS cybersecurity was.

In a March videotaped deposition, the former Booz Allen Hamilton government-contracting firm employee said, “I was able to access tax returns at will.” He uploaded the records to a private website, “then, on a separate computer, I could log in and download the data.”

To those affected, it might sound like closing the barn door after the horse escaped, but an agency email to The Post said “this incident was simply unacceptable … and it is completely at odds with the IRS’s values and the agency’s commitment to taxpayers. IRS Commissioner Danny Werfel has taken aggressive action to enhance data security to ensure, to the fullest extent feasible, that nothing like the Littlejohn incident from several years ago can happen again in the future.”

That action includes “10 key areas” of enhanced taxpayers’ protection listed in a May 10 IRS document. They include restricting “the number of people with access to the most sensitive taxpayer data sets,” adding “additional firewalls between key taxpayer information and the rest of the IRS,” reducing “dramatically … users’ ability to connect removable media, such as thumb drives, to IRS computers,” and logging “any printing of personal or sensitive tax information … for IRS cybersecurity use.”

Government Accountability Office officials first designated government-wide cybersecurity as a high-risk area in 1997, and IRS information security problems were documented well before the Littlejohn exposures. A 2011 GAO audit said despite some progress, “information security weaknesses … continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.” Just last week, GAO warned that without “a guidance structure to better protect taxpayer information … it is unclear how IRS will adapt to changing security threats in the future and ensure those threats are mitigated.”

The Treasury Inspector General for Tax Administration, or TIGTA, which conducted the criminal investigation into Littlejohn, reported last year that 21 percent of IRS contractors were delinquent in their required annual privacy awareness training, increasing the risk that they are not prepared to handle taxpayer information. The inspector general will issue a memorandum this month summarizing previously identified IRS data security systemic issues. A TIGTA statement also said it is reviewing how IRS notified taxpayers of the records theft and “confirming whether IRS has ongoing efforts to continue to identify any additional victims of the disclosure.”

In February, TIGTA reported security shortcomings, including “procedures to systemically remove” access to IRS programs for people who no longer require it “were not always working as intended.” The inspector general also discovered 19 contractors who “retained their access to one or more sensitive systems” after unfavorable reports in their most recent background investigations.

As the lawsuit progressed, Griffin’s team was increasingly “horrified at the lack of security and precautions that the IRS takes with people’s confidential information,” Brooke Cucinella, Citadel’s global head of litigation and regulatory inquiries, said during an interview. But the settlement was just what they wanted because it “goes back to them [IRS officials] taking it seriously and committing publicly to investing and fixing these weaknesses and these vulnerabilities.”

But “it shouldn’t take a high-profile lawsuit to extract an apology from an agency that violated Americans’ privacy—and we are awaiting more information on how the IRS plans to prevent this from ever happening again,” House Ways and Means Chairman Jason T. Smith (R-Mo.) said. “The ease and brazenness at which Charles Littlejohn stole and then disclosed confidential financial information for political gain proves change is needed.”

And while “an apology is always nice,” Cucinella said, “an apology with nothing behind it would have been … empty.”

“This always was about accountability.”