Transcript Delivery System Authentication and Authorization Processes Do Not Adequately Protect Against Unauthorized Release of Tax Information

The Commissioner, Wage and Investment Division, should send notification letters of interim authentication requirements to the 4,022 e-Services TDS users not notified and revoke access privileges for any users that do not complete the interim authentication requirements.

The Commissioner, Wage and Investment Division, should implement multifactor authentication for e-Services, which includes the TDS application, to comply with Federal Government Information Security Standards.

The Commissioner, Wage and Investment Division, should implement processes and procedures to ensure that legitimate taxpayers authorize the release of their tax transcripts. In addition, discontinue offering tax transcripts via those processes in which the IRS cannot confirm whether legitimate taxpayers authorized the release of their tax transcripts.

The Commissioner, Wage and Investment Division, should implement processes and procedures that prevent the use of data scraping programs to request tax transcripts.

The Commissioner, Wage and Investment Division, should suspend the IVES Program until processes and procedures are put in place to ensure that a legitimate taxpayer signed a Form 4506-T, Request for Transcript of Tax Return, authorizing the release of their tax transcript to IVES participants and their clients. This could include notifying taxpayers of the release of their tax information or mailing tax transcripts to the taxpayer's address of record for them to provide to the requestor.