The Internal Revenue Service mistakenly exposed as many as 2,319 Social Security numbers by posting them on the Internet, which a California-based archivist discovered last week.
The IRS has already come under scrutiny for targeting conservative political groups more frequently for audits and wasting millions of dollars on luxury hotels, alcohol, parody videos and tickets to sports games. The latest allegations against the IRS serve as further embarrassment to an agency that has been under fire for months.
Archivist Carl Malamud of Bulk Resource has long requested that the IRS publicly release transaction documents of nonprofit political groups, which are known as 527s, to allow the public to monitor the spending of charities and other such organizations. The tax forms that these nonprofit groups are required to file are then added to a database, which the IRS has often sent to Malamud for release on his website, Public.Resource.org.
But the IRS told Malamud to disregard the Form 990-Ts, which it had including in its January release. This update contained more than 3,000 tax returns, about 319 of which contained sensitive data, including Social Security numbers.
Once Public.Resource.org noticed that the files contained sensitive information on July 2, they were immediately removed from the site and replaced with a new version. Bulk Resource contacted senior White House officials to notify them of the privacy violations, but the administration did not remove the files from public view until July 3, leaving them available for nearly a full day.
“The IRS has a policy that even in an emergency, their staff are not allowed to use e-mail to communicate with organizations such as ours, a policy that makes it much harder to respond to incidents quickly,” Malamud wrote in a press release. “The IRS has recklessly violated the privacy of Americans and deliberately tried to keep scrutiny away from our worst charities.”
He noted that IRS data security efforts are “unprofessional and amateur,” and is now urging the agency to shut down access to its 527 database to prevent the potential release of any more private information that may be in the documents.
In a report filed to the inspector general’s office, Malamud said that four unique IP addresses had clicked on the documents a total of eight times, but that no privacy complaints had been made. It remains unclear whether or not any identity thieves took advantage of the information before it was taken off the Internet.