1 / 19

Proactive Detection and Investigation of Unauthorized Access to Tax Returns

This article discusses the proactive measures taken by the Treasury Inspector General for Tax Administration (TIGTA) to detect and investigate unauthorized access to tax returns and tax return information. It highlights the use of audit trails, continuous monitoring, and periodic matching of accesses to various computer systems. A case example is provided to illustrate the successful prosecution of an individual who accessed tax information without a valid reason.

mhines
Download Presentation

Proactive Detection and Investigation of Unauthorized Access to Tax Returns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TREASURYINSPECTORGENERALFOR TAXADMINISTRATION Rodney A. Davis Special Agent in Charge Washington Field Division

  2. Title 26 U.S.C. § 7213A • FEDERAL EMPLOYEES AND OTHER PERSONS.—It shall be unlawful for— (A) any officer or employee of the United States, or (B) any person described in section 6103(n) or an officer or employee of any such person, willfully to inspect, except as authorized in this title, any return or return information. PUBLIC LAW 105–35—AUG. 5, 1997 TAXPAYER BROWSING PROTECTION ACTAn ActTo amend the Internal Revenue Code of 1986 to prevent the unauthorized inspection of tax returns or tax return information.

  3. ProactiveDetection Reactive Detection Allegations of unauthorized access • Continuous monitoring using audit trails run against designated scenarios • Periodic matching of accesses to various computer systems DETECTION METHODS

  4. UNAX Proactive Detection and Investigation The SAAS analyzes actions for possible unauthorized accesses IRS employees take actions using IRS Systems Investigative Analysts review leads and develop additional unauthorized accesses Agents conduct interviews and collect evidence

  5. ALERT: 10 access(es) to a TIGTA watch TIN was discovered in the audit trail that was loaded 10272016. Please logon to SAAS to download the results found in the file • The Investigation Development group receives notice of accesses to designated accounts within one to two days • If a potential unauthorized access expedited analysis is conducted and referred to the field within 48 hours Access to High Profile Accounts

  6. A March report indicated an IRS employee access the Federal tax information of an individual potentially at the same address. • Analyst identified potential unauthorized accesses to four other individuals. • Field investigation identified three additional individuals that were accessed without a business purpose. • Total 9 individuals and 94 accesses were substantiated. • Found guilty; sentenced to 12 months probation and fined $750.00. Case Example

  7. The Cybercrime Investigations Division Mission • Aggressively identify, investigate, and provide technical investigative assistance to TIGTA Field Divisions where necessary, with regard to electronic activities which have the potential to compromise IRS networks and/or corruptly interfere with the IRS ability to conduct electronic tax administration, both internally and externally. Cybercrime Investigations Division

  8. Division broken into three functional teams functional teams • Cyber Fraud – Investigates activity that uses cyber protocols as a tool to carry out or obfuscate criminal activity (e.g. phishing) • Network Investigations – Investigates activity where the usage of the cyber protocols constitute a criminal act, and/or advanced protocols or activity employed (e.g. network intrusions, malware) • Data Integrity - Focuses on conducting detailed analysis, both data mining and traditional forensics, of electronic media and logs, as well as proactively understanding and sampling log sets for current and future IRS web services Cybercrime Investigations Division

  9. Sources of cyber data include: • IRS Cybersecurity Fraud Analytics and Monitoring (CFAM) • IRS Web Portals (eAuthenticaiton, Get Transcripts, Online Payment, Identity Protection PIN, Electronic Filing PIN [defunct but active cases]) • Internal Reporting from the IRS Computer Security Incident Response Center (CSIRC) • Illicit activity inside the IRS network • External Reporting from the IRS Office of Online Fraud Detection and Prevention (OFDP) • Phishing, fraudulent web pages etc • IRS Office of Safeguards • Compromised Federal Tax Information (FTI) shared with non-IRS agencies • FBI Cyber Task Force • Other Federal agencies Cybercrime Investigations Division

  10. The Quantified Threat; raw numbers • IRS Computer Security Incident Response Center (CSIRC) • 90,000 employees and approximately 265,000 network nodes • Fiscal Year 2015 reporting for user-generated traffic (i.e. doesn’t include IRS web portals): • 21,469,918,099 connections to the Internet • 896,800 known malicious content connections blocked • 1010 Cyber Incidents registered in their system (“any adverse event whereby some aspect of computer security could be threatened.”) Cybercrime Investigations Division

  11. The Quantified Threat; raw numbers • Office of Safeguards • 300+ state, tribal, federal agencies receive electronic transfers of FTI • Physically inspected every three years by Safeguards • More than 195 “Critical/Catastrophic” findings in the last two years potentially impacting/threatening FTI • OFDP • 2005-2012 when we stopped tracking, 41,598 fraudulent websites • Continued activity, mostly foreign based Cybercrime Investigations Division

  12. The Quantified Threat; raw numbers • IRS Data Loss Prevention Detections • Hundreds of incidents reviewed • Well over 100 Spin-off investigations relating to DLP to date Cybercrime Investigations Division

  13. January 2014 to July 2017 investigative results • 14 Convictions • 556 Months incarceration • $2.23 Million in restitution/fines Cybercrime Investigations Division

  14. Dwaine BrinsonRevenue Inspector GeneralDBrinson@dor.in.gov

  15. Organizational Structure Commissioner Adam J Krupp Revenue Inspector General Dwaine Brinson Investigations Megan Singleton Compliance & Ethics Jared Prentice Internal Affairs Amber Nicole Ying Taxpayer Advocate Tammy Jones Internal Audit Mary Rankin

  16. Internal Affairs | Employee Integrity • Protection of Taxpayer Data • Returns Processing System (RPS) • Personally Identifiable Information (PII) • Investigate Violations of DOR and State policy • Federal Tax Information (FTI) • Referred to TIGTA and Office of Safeguards

  17. Internal Affairs | Employee Integrity • Proactive Investigations • Employee browsing • Celebrity Browsing • Other proactive Initiatives • Reactive Investigations • Ghost Payroll • Misplaced Tax Remittances

  18. Internal Affairs | Employee Protection • Employee and Infrastructure Protection • Threat program • Physical Security Issues

  19. Thank you for your attention. We hope you’re enjoying our fine city!

More Related