Actions Were Not Always Taken to Protect Taxpayers Associated With Reported External Data Breaches

The Commissioner, Wage and Investment Division, should record the 89 data breaches on the Incident Management Tracker Matrix Record, calculate an incident risk assessment score for each incident, and apply the appropriate treatment for each incident. This includes requesting a list of TINs for those 70 breaches for which a TIN list was not provided.

The Commissioner, Wage and Investment Division, should develop processes to ensure that all reported data breaches are added to the Incident Management Tracker Matrix. In addition, ensure that RICS analysts follow internal guidelines for adding reported TINS to the DSL, request the TIN list from external entities when they do not provide one, and attempt to develop a TIN list when an external entity declines to provide it, if appropriate.

The Commissioner, Wage and Investment Division, should research the 27,270 TINs and the 2,976 TINS TIGTA identified as potentially not being on the DSL to determine if they were previously added, and for those not added, include them on the DSL.

The Commissioner, Wage and Investment Division, should add the 185 TINs that TIGTA identified to the DSL to allow detection of potential identity theft returns filed using the TINs.