The IRS failed to do background checks on some private contractors who handled confidential taxpayer information, exposing more than a million taxpayers to an increased risk of fraud and identity theft, a government investigator said Thursday.
In one case, the IRS gave a printing contractor a computer disk with names, addresses and Social Security numbers of 1.4 million taxpayers, but didn't require a background check for anyone who worked on the job, said a report by the Treasury inspector general for tax administration.
In another case, to transport sensitive documents the IRS used a courier who previously had spent 21 years in prison on arson and other charges. In other cases, contractors underwent background checks but weren't required to sign agreements not to disclose sensitive information, the report said.
"Allowing contractor employees access to taxpayer data without appropriate background investigations exposes taxpayers to increased risk of fraud and identity theft," the inspector general, J. Russell George, said.
IRS policy requires contractors with access to confidential taxpayer information to undergo background checks, though the policy wasn't always followed, the report said. About 10,000 private contractors have access to such information.
The report did not examine whether any of the private contractors misused taxpayer information. But the issue of identity theft has been gaining attention at the IRS and elsewhere.
In recent years the IRS has reported a big jump in thieves trying to fraudulently claim tax refunds using stolen Social Security numbers.
In 2012, the IRS issued $4 billion in fraudulent tax refundsissued $4 billion in fraudulent tax refunds to people using stolen identities, according to an inspector general's report released last year. That same year, the IRS blocked more than $12 billion in fraudulent refunds from going to identity thieves.
Just last month, the FBI's online fraud site, the Internet Crime Complaint Center (IC3), issued an alert that complaints from victims about phony tax returns being filed using their information doubled from 2013 to this year.
CBS News business analyst Jill Schlesinger explained earlier this year that thieves typically steal information by sending "phishing" emails, collecting personal information and then filing a return that information.
In a statement, the IRS said it takes seriously its responsibility to protect taxpayer information, "and we expect the same from our contractors."
The agency said it was committed to ensuring that all contractors with access to sensitive information undergo thorough background checks. Also, the IRS said it issued more explicit guidance over a year ago to ensure that contractors submit nondisclosure agreements.
"The IRS is committed to clarifying policies and procedures to ensure appropriate security provisions are included in all appropriate solicitations and contracts," the agency said.
George's investigators reviewed 34 IRS contracts that were active in May 2013. They found five contracts in which no background checks were required, even though contractors had access to confidential information, which is labeled "sensitive but unclassified." The contracts were for courier, printing, document recovery and sign language interpreter services.
The document recovery contract was to salvage sensitive documents and personal belongings of IRS employees after a single-engine plane crashed into an IRS office building in Austin, Texas, in 2010. An IRS employee in the building was killed in the crash.
George's report said background checks were required as part of 12 contracts, but workers were allowed access to sensitive information before the checks were completed.
Investigators also identified 20 contracts in which workers did not sign agreements not to disclose sensitive information.