Treat tax data like Fort Knox: Our view

The IRS is "literally always under attack" by hackers around the world, IRS Commissioner John Koskinen told the USA TODAY Editorial Board in February, "because if you could get in … it's a great place to get data."

Koskinen sure had that right.

Just about the time of his comment, criminals were breaching the IRS' very own "Get Transcript" website. They gained access to the tax records of more than 100,000 Americans, a mother lode of personal information that allowed them to submit phony returns and steal refunds.

The breach, which the Senate Finance Committee put under a microscope Tuesday, is more proof that the IRS has become a too-easy mark for fraudsters. Identify theft has exploded since 2010, and in 2013, crooks made off with $5.8 billion in fraudulent refunds on 1 million returns. As the agency has fought back, it's no surprise that criminals are looking to update their scams.

They found a weakness on the Get Transcript website, which was announced with fanfare at a White House event last year. The website allows taxpayers to obtain copies of their prior-year records online, without calling the agency and waiting several days for snail mail. The old system was slow, perhaps, but at least it was secure.

Before the agency moved to provide more customer convenience, it should have made sure this data was protected like the gold in Fort Knox. Instead, its method for validating taxpayers' identities was about as sophisticated as using p-a-s-s-w-o-r-d for your password.

Thieves came to the site well-armed with personal information easily stolen elsewhere — name, Social Security number, birth date, tax filing status, home address and an email — to get past the first step.

In the next step, taxpayers were asked several personal multiple choice questions whose answers were supposedly known only to them, such as a previous address. To anyone who knows much about security, that's laughable. The information is easy to find with some searching on the Internet, and it has been compromised by identity thefts going back several years. "People who think this data is private are crazy," says security consultant Avivah Litan. Which is why any company or agency using it needs backup security to authenticate users.

What's most shocking is that the IRS either wouldn't know that or wouldn't care enough to find alternatives. Just as shocking is that the breach went on for three months, through mid-May, when the agency's cyber security team spotted unusual activity on the site.

In March, security blogger Brian Krebs uncovered and wrote about a taxpayer who went to the Get Transcript site and found a thief using his Social Security number had already gotten his transcript.

Most of the blame for this mess goes to the IRS, and Koskinen took responsibility at Tuesday's Senate hearing. But some of the same members of Congress who bash the IRS have starved the agency of funding.

In inflation-adjusted terms, today's IRS budget is equal to what it was in 1998, and now the agency has to process 30 million more returns. The agency is an easy whipping boy: Who likes tax collectors? But congressional Republicans, angry over a political scandal in which the IRS targeted conservative political groups for extra scrutiny, have taken the budget cutting too far.

If lawmakers want to get a jump on tax fraudsters, they'll need to give the IRS enough money to update its systems and get the expert help it needs. As for the IRS, when the choice is between adding convenience for taxpayers or keeping their confidential data safe, security should always win. Breaches like this erode confidence in the entire tax system.

USA TODAY's editorial opinions are decided by its Editorial Board, separate from the news staff. Most editorials are coupled with an opposing view — a unique USA TODAY feature.

To read more editorials, go to the Opinion front page or sign up for the daily Opinion e-mail newsletter.