The IRS failed to do background checks on some private contractors who handled confidential taxpayer information, exposing more than a million taxpayers to an increased risk of fraud and identity theft, a government investigator said Thursday.
In one case, the IRS gave a printing contractor a computer disk with names, addresses and Social Security numbers of 1.4 million taxpayers, but didn't require a background check for anyone who worked on the job, said a report by the Treasury inspector general for tax administration.
In another case, to transport sensitive documents the IRS used a courier who previously had spent 21 years in prison on arson and other charges. In other cases, contractors underwent background checks but weren't required to sign agreements not to disclose sensitive information, the report said.
"Allowing contractor employees access to taxpayer data without appropriate background investigations exposes taxpayers to increased risk of fraud and identity theft," the inspector general, J. Russell George, said.
IRS policy requires contractors with access to confidential taxpayer information to undergo background checks, though the policy wasn't always followed, the report said. About 10,000 private contractors have access to such information.
The report did not examine whether any of the private contractors misused taxpayer information. But the issue of identity theft has been gaining attention at the IRS and elsewhere.
For 2013, the IRS reported a big jump in thieves trying to fraudulently claim tax refunds using stolen Social Security numbers.
In a statement, the IRS said it takes seriously its responsibility to protect taxpayer information, "and we expect the same from our contractors."
The agency said it was committed to ensuring that all contractors with access to sensitive information undergo thorough background checks. Also, the IRS said it issued more explicit guidance over a year ago to ensure that contractors submit nondisclosure agreements.
"The IRS is committed to clarifying policies and procedures to ensure appropriate security provisions are included in all appropriate solicitations and contracts," the agency said.
George's investigators reviewed 34 IRS contracts that were active in May 2013. They found five contracts in which no background checks were required, even though contractors had access to confidential information, which is labeled "sensitive but unclassified." The contracts were for courier, printing, document recovery and sign language interpreter services.
The report said background checks were required as part of 12 contracts, but workers were allowed access to sensitive information before the checks were completed.
Investigators also identified 20 contracts in which workers did not sign agreements not to disclose sensitive information.