In a stunning development, House Judiciary chair Rep. Jim Jordan (R-Ohio) revealed new details about a massive leak of taxpayer information from the Internal Revenue Service (IRS) during the Biden administration.  According to the latest disclosure, over 405,000 Americans had their sensitive personal information exposed — six times more than the 70,000 the IRS initially reported.  The leak included data from notable figures, including former president Donald Trump, further heightening concerns about the government’s ability to safeguard its citizens’ privacy.

A letter from the Department of Treasury dated February 14 confirmed that 405,427 individuals were affected by the “inappropriately disclosed” information, with 89% of those being business entities.  The letter addressed to Jordan outlined the IRS’s efforts to notify affected taxpayers about what specific personal information was exposed and the relevant tax years.  The IRS indicated in the letter that it has also provided a dedicated email to foster communication between the agency and the affected taxpayers. 

Jordan has vowed to hold the IRS accountable for its failure to protect taxpayer data.  In a statement, Jordan said, “This is a massive scandal, and the American people deserve answers.  The IRS cannot continue to operate without proper safeguards in place to protect the privacy of millions of taxpayers. The leak of information — especially that of former President Trump — is a direct violation of the trust taxpayers place in the government.”

History of the Data Leak and Investigation

The issue of the IRS data leak dates back to 2021 and despite numerous requests for transparency, the IRS has been glacially slow to respond.  In April 2022, the House Ways and Means committee reported that it had been “nearly 10 months” since the data were stolen and leaked, yet the Biden administration still had not provided any clear answers.  IRS commissioner Charles Rettig testified several times in 2022 before the House Ways and Means Committee but notably failed to mention the full extent of the breach in his prepared statement, despite the fact that the theft had been under investigation since the spring of 2021.

On June 9, 2021, Ways and Means Republican leader Kevin Brady (R-Texas) and Senate Finance Committee Ranking Member Mike Crapo (R-Idaho) formally demanded answers in a letter to Commissioner Rettig.  Treasury secretary Janet Yellen also testified before the same committee on June 17, 2021 but did not address the data leak in her prepared statement.

In June 2024, Jordan issued an ultimatum to Heather Hill demanding documents related to her investigation into former IRS contractor Charles Littlejohn.  Hill was the acting inspector general and the Treasury Inspector General for Tax Administration (TIGTA) at the time.  Hill’s investigation uncovered that Littlejohn allegedly “disclosed protected taxpayer information to a third party, including but not limited to, the New York Times or ProPublica.”

Littlejohn allegedly served as an IRS contractor from 2017 until 2021.  On January 29, 2024, the Justice Department announced that Littlejohn “had been sentenced to five years in prison after pleading guilty to one count of disclosing tax return information without authorization.”  Authorities revealed that he had evaded IRS protocols “established to detect and prevent large downloads or uploads from IRS devices or systems.”

The IRS sent an initial letter to affected taxpayers notifying them of Littlejohn’s disclosures and his criminal charges but left many questions unanswered.  According to reporting from Holland and Knight, the first letter from the IRS failed to mention what data had been stolen or how widely the leaked information had been distributed.  However, a subsequent supplemental letter sent to the affected taxpayers on May 10, 2024 included the following clarifications:

In June 2024, the IRS issued a formal apology for the leak.

Failure to Safeguard Taxpayer Information: Outside Contractors and System Weaknesses

A February 6, 2024 report from the Treasury Inspector for Tax Administration highlighted alarming issues with the IRS’s handling of sensitive data.  The report found that 19 outside contractors who had access to protected taxpayer information, continued to retain that access even after failing to pass background checks.  The report states that outside contractor access to one or more sensitive systems continued “because the IRS did not take action to suspend or disable the contractors from the IRS’s systems, as required.”

The 2024 report also concluded that the IRS “does not have adequate controls to detect or prevent the unauthorized removal of data by users.”  Specifically, the TIGTA identified deficiencies in IRS systems that failed to ensure the security of sensitive taxpayer data.  The report concluded

that a key deficiency in the IRS’s detection and deterrence processes did not ensure that all sensitive systems provide complete, accurate, and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes.

Taxpayer data are highly sensitive, and their exposure can result in identity theft, fraud, and other financial risks.  It is troubling enough that personal data from businesses and individuals was leaked.  However, the breach of high-profile figures such as Donald Trump raises further concerns about the potential for politically motivated leaks or insider threats.

Image via Library of Congress.