Close Menu
The Politic ReviewThe Politic Review
  • News
  • U.S.
  • World
  • Politics
  • Congress
  • Business
  • Economy
  • Money
  • Tech
  • More Articles
Trending

Wildfire Smoke Will Change What Americans Want In A Home

July 17, 2026

Heavy Rains, Flash Floods Hit Texas Hill Country Forcing Evacuations

July 17, 2026

‘Marking Their Own Homework’: Power Network Coverup Probe Accused of Attempted Whitewash

July 17, 2026
Facebook X (Twitter) Instagram
  • Donald Trump
  • Kamala Harris
  • Elections 2024
  • Elon Musk
  • Israel War
  • Ukraine War
  • Policy
  • Immigration
Facebook X (Twitter) Instagram
The Politic ReviewThe Politic Review
Newsletter
Friday, July 17
  • News
  • U.S.
  • World
  • Politics
  • Congress
  • Business
  • Economy
  • Money
  • Tech
  • More Articles
The Politic ReviewThe Politic Review
  • United States
  • World
  • Politics
  • Elections
  • Congress
  • Business
  • Economy
  • Money
  • Tech
Home»Money»Watchdog Finds Serious Gaps In IRS Contractors’ Taxpayer Data Security
Money

Watchdog Finds Serious Gaps In IRS Contractors’ Taxpayer Data Security

Press RoomBy Press RoomJuly 17, 2026No Comments10 Mins Read
Share Facebook Twitter Pinterest Copy Link LinkedIn Tumblr Email VKontakte Telegram

TIGTA identified deficiencies in physical security controls designed to safeguard taxpayer data, security vulnerabilities in the information systems used to process taxpayer information, and weaknesses in information system configuration controls.

getty

The IRS’s effort to convert paper tax documents into digital records is supposed to make tax administration faster and less dependent on manual processing. But a new watchdog memo raises serious questions about whether the private contractors entrusted with that work are adequately protecting taxpayer information.

In an alert focused on the IRS’s Zero Paper Initiative (ZPI), the Treasury Inspector General for Tax Administration (TIGTA) identified several issues, including physical security failures, unresolved computer vulnerabilities, and weak system configuration controls at two contractor facilities.

The findings raise concerns about taxpayer privacy and the IRS’s use of private contractors who were permitted to handle some of the federal government’s most sensitive records without consistently meeting IRS security requirements.

That would be concerning under any circumstances. It is particularly so after the massive disclosure of taxpayer information by Charles Edward Littlejohn, a former IRS contractor employed by Booz Allen Hamilton. The leak returned to the news after a federal judge recently nixed the Trump administration’s proposed settlement of the president’s lawsuit over Littlejohn’s disclosure of his tax information.

What Did Littlejohn Do?

Littlejohn worked as an IRS contractor between 2018 and 2020. According to prosecutors, he evaded controls designed to detect or prevent large downloads and transferred private tax information to his personal storage devices. He then disclosed tax information related to Donald Trump and other individuals and entities to The New York Times and later provided ProPublica with tax information for thousands of wealthy taxpayers, including Elon Musk, Jeff Bezos, Warren Buffett, and Michael Bloomberg.

Those impacted weren’t just billionaires. Tax information involving businesses, partnerships, and other passthrough entities swept additional taxpayers into the breach through Schedules K-1, ownership records, and related documents. The IRS ultimately determined that approximately 406,000 taxpayers were affected.

Littlejohn pleaded guilty in October 2023 to unauthorized disclosure of tax returns and return information. In January 2024, he received the statutory maximum sentence of five years in federal prison.

Was There Any Meaningful Change?

Following the disclosure, the IRS apologized to affected taxpayers and said it would take steps to strengthen its safeguards against unauthorized access and disclosure. But during site visits in 2025, TIGTA found significant problems with contractor security and IRS oversight.

At the two ZPI facilities reviewed by TIGTA, 14 employees entered areas where taxpayer documents were scanned, digitized, or stored without authorization from the IRS. The entries occurred between May and August 2025 at one location and between October and December 2025 at the other.

The memo does not say that those employees accessed documents for an improper purpose or copied, photographed, removed, or disclosed taxpayer information. Rather, TIGTA said the 14 employees collectively entered restricted areas on 1,375 occasions over several months. The memo does not explain how those entries were distributed among the employees or whether they reflected routine workplace access that had not been properly approved.

IRS officials told TIGTA that contractors were required to review physical-access logs annually. The IRS now plans to update Publication 4812, which establishes contractor security and privacy controls, to require monthly reviews or more frequent reviews at the agency’s discretion.

An Open Path to Stored Tax Documents

TIGTA also found that the perimeter fence and loading dock at one contractor site were open and not properly secured. The loading dock provided access to an area where taxpayer documents were stored, and no guards were controlling entry.

The contractor told TIGTA that the dock remained open during the day and was locked at night. It also noted that the contract did not expressly require guards inside the facility. TIGTA disagreed, noting that contractors remain responsible for safeguarding taxpayer data and that IRS standards require a perimeter gate to be guarded or locked with an alarm.

Known Computer Vulnerabilities Remained Unresolved

There were also potentially serious information-system findings.

TIGTA provided an analysis of vulnerability scan reports provided by the IRS and IRS Publication 4812 Contractor Security and Privacy Controls.

Kelly Phillips Erb

At Site 1, TIGTA identified 269 security vulnerabilities in systems processing taxpayer information. Of those, 128—or 48%—had not been resolved within the deadlines imposed by IRS policy.

Twenty overdue vulnerabilities were classified as critical. They had remained unresolved for an average of 223 days, even though the required remediation period was 30 days. Another 84 were considered high-severity and had remained unresolved for an average of 231 days, compared with the required 60-day period.

The medium-severity vulnerabilities averaged 423 days, while low-severity vulnerabilities averaged 504 days. Both substantially exceeded the IRS’s allowable remediation periods.

One critical vulnerability involved software that was no longer supported by its vendor. Once support ends, the vendor generally stops issuing security updates, leaving known weaknesses available for attackers to exploit. Another vulnerability involved an uninstalled database update addressing a weakness that could allow an attacker to bypass authentication and take actions without permission.

TIGTA also found that the IRS Cybersecurity function’s limited contractor assessments would not have identified the overdue vulnerabilities.

Unauthorized Tools and Incomplete Records

At Site 2, the contractor used unauthorized software to scan its systems for vulnerabilities. The issue was not that the tool was open source (open-source software is commonly used in cybersecurity) but that it had not been validated to comply with the Security Content Automation Protocol standards required by IRS policy.

The contractor also failed to retain adequate records of prior vulnerabilities. Without that history, it could not establish when a weakness first appeared or how long it had remained unresolved.

IRS cybersecurity personnel knew that the contractor was using the unauthorized scanning tool, according to TIGTA, but did not take action to enforce the agency’s requirements.

Similar problems appeared in configuration testing. IRS policy required that applicable devices be scanned monthly to determine whether they were securely configured. At Site 1, however, the contractor scanned only a subset. In August 2025, just one of 203 devices was scanned.

The IRS has now developed a monthly process to identify aged, unresolved vulnerabilities for review by procurement officials, project personnel, and contractors.

Privacy Concerns Continue

The alert comes amid broader disputes over access to IRS information.

Nearly two years after Littlejohn’s sentencing, the Treasury Department announced it was canceling all contracts with Booz Allen, accusing the consulting firm of failing to implement adequate safeguards for sensitive information accessed through its IRS work. Treasury said it was terminating 31 contracts representing approximately $4.8 million in annual spending and $21 million in total obligations.

The announcement was made on January 26, 2026, the same day the IRS opened the 2026 individual income tax filing season. Treasury did not expressly say that the timing was intended to send a message, but the decision placed the action squarely within the period when millions of Americans were being asked to submit their most sensitive financial information to the government.

Treasury Secretary Scott Bessent characterized the cancellation as part of the administration’s effort to root out waste, fraud, and abuse and restore confidence in government. The department specifically cited Littlejohn’s conduct, saying Booz Allen had failed to put adequate safeguards in place to protect confidential taxpayer data.

Booz Allen disputed the implication that its own systems enabled the breach. The company condemned Littlejohn’s actions, emphasized that the misconduct occurred on government systems, and said it neither stores taxpayer data on its own systems nor can monitor activity on government networks. It also noted that it cooperated with the investigation that led to Littlejohn’s prosecution.

But contractor security is not the only recent source of concern about access to taxpayer information. In 2025, the IRS entered into an agreement allowing certain taxpayer address information to be shared with Immigration and Customs Enforcement for immigration-enforcement purposes.

According to a separate TIGTA report, ICE asked the IRS for address information tied to more than 1.2 million records. The IRS ultimately provided last-known addresses for approximately 47,000 people after an automated process matched ICE-provided information against IRS records.

TIGTA also found problems with the process. According to TIGTA, the IRS developed an automated matching system before releasing the information, but the criteria “were unable to identify and match the records accurately and consistently.” In some instances, records requests that should have been rejected may not have been. In others, possible matches may have failed due to minor formatting differences.

A federal district court later blocked further disclosures under the policy, finding that the challengers had shown a substantial likelihood that the IRS’s policy change and disclosures were unlawful. The matter has been appealed.

About Taxpayer Privacy

Most Americans have little choice about whether to provide information to the IRS. The tax system requires taxpayers to disclose income, investments, business interests, family circumstances, financial accounts, and other personal details. A tax return can reveal where someone works, how much they earn, whether they own a business, the ages of their children, the organizations they support, the medical expenses they incurred, their retirement savings, foreign holdings, and—in some cases—account numbers connected to financial assets.

To protect taxpayers, the government promises confidentiality. Section 6103 of the tax code broadly prohibits disclosure of tax returns and return information except in specifically authorized circumstances. The prohibition reaches beyond publishing or physically handing over a return. Even confirming that a person filed a return, or discussing information contained in it, can constitute an impermissible disclosure.

Unauthorized inspection is separately prohibited. IRS employees and other authorized users may inspect taxpayer information only when their official duties require it for tax-administration purposes. They cannot browse the returns of friends, relatives, celebrities, political figures—or even themselves—simply because they have access to IRS systems.

Those protections reflect the history of political efforts to use tax information against perceived opponents. Following the Nixon-era abuses and disclosures that eroded confidence in the IRS, Congress rewrote the law in 1976 to establish confidentiality as the default rule rather than treating tax returns as public records largely controlled by the executive branch.

Taxpayers are more likely to report information honestly when they believe it will be used to administer the tax laws and protected from unrelated disclosure. If they believe it may be leaked, used for political purposes, shared for unrelated enforcement objectives, or accessed by inadequately supervised contractors, that confidence begins to erode.

IRS Should Take Security Seriously

TIGTA did not identify evidence that taxpayer information at the ZPI facilities was stolen, leaked, or altered. It did not report a successful cyberattack, nor did it accuse the 14 employees who entered restricted areas of deliberately misusing taxpayer records.

Still, the absence of a known breach is reassuring only when the government has sufficient monitoring, records, and controls to know what occurred. If physical entries are not regularly reviewed, vulnerability histories are incomplete, devices are not scanned, and unauthorized security tools are allowed, the ability to detect or reconstruct improper activity may be weakened.

Littlejohn showed the potential consequences when an insider can exploit access without being stopped. The TIGTA memo shows that contractor oversight remains uneven even after that breach became public and resulted in a criminal conviction.

About TIGTA

TIGTA was established in January 1999 by the IRS Restructuring and Reform Act of 1998 to provide independent oversight of IRS activities. Today, TIGTA provides audit, investigative, and evaluation services to promote integrity, efficiency, and economy in the administration of the nation’s tax system. While TIGTA sits organizationally within the Department of the Treasury and reports to the Secretary of the Treasury and to Congress, the agency is considered to be independent.

You can read the TIGTA memo here.

Read the full article here

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Telegram Copy Link

Related Articles

Money

Wildfire Smoke Will Change What Americans Want In A Home

July 17, 2026
Money

5 Major Rule Changes For Student Loans Are Now In Effect, Here’s What They Do

July 17, 2026
Money

Education Department Begins Notifying Student Loan Borrowers They Have 90 Days To Switch Plans

July 15, 2026
Money

The Saver’s Match Is Coming. Here’s Your $1,000.

July 15, 2026
Money

Top Treasury Tax Official’s Departure Deepens Leadership Crisis At IRS

July 15, 2026
Money

These Student Loans Are Now Cut Off From Affordable Payments And Loan Forgiveness

July 14, 2026
Add A Comment
Leave A Reply Cancel Reply

Editors Picks

Heavy Rains, Flash Floods Hit Texas Hill Country Forcing Evacuations

July 17, 2026

‘Marking Their Own Homework’: Power Network Coverup Probe Accused of Attempted Whitewash

July 17, 2026

Warnock: Trump a ‘Failed President,’ ‘His Support Is Collapsing’

July 17, 2026

Darline Graham is considering running for her brother's Senate seat in South Carolina

July 17, 2026
Latest News

The war must go on: NATO plans for no endgame

July 17, 2026

Polish President Karol Nawrocki Vetoes Bills Giving Rights to Same-Sex Couples, Vows To Protect Marriage as ‘Union of a Man and a Woman’

July 17, 2026

Watchdog Finds Serious Gaps In IRS Contractors’ Taxpayer Data Security

July 17, 2026

Subscribe to News

Get the latest politics news and updates directly to your inbox.

The Politic Review is your one-stop website for the latest politics news and updates, follow us now to get the news that matters to you.

Facebook X (Twitter) Instagram Pinterest YouTube
Latest Articles

Wildfire Smoke Will Change What Americans Want In A Home

July 17, 2026

Heavy Rains, Flash Floods Hit Texas Hill Country Forcing Evacuations

July 17, 2026

‘Marking Their Own Homework’: Power Network Coverup Probe Accused of Attempted Whitewash

July 17, 2026

Subscribe to Updates

Get the latest politics news and updates directly to your inbox.

© 2026 Prices.com LLC. All Rights Reserved.
  • Privacy Policy
  • Terms of use
  • For Advertisers
  • Contact

Type above and press Enter to search. Press Esc to cancel.