There was some good news and some bad for taxpayers at Tuesday’s Senate Finance Committee hearing on Cybersecurity and Protecting Taxpayer Information just days away from this year’s tax filing deadline on April 18.

On the plus side, IRS Commissioner John Koskinen testified that the tax-collecting agency had stopped identity thieves from filing 1.4 million fake returns and collecting $8.7 billion in fraudulent refunds, and that number may even be higher. A report from the Government Accountability Office presented at the hearing said the IRS had estimated $22.5 billion in refunds from fake returns were thwarted, but that an estimated $3.1 billion in fake refunds were paid out by the agency.

“The reality is criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS,” said IRS Commissioner John Koskinen. “To fully protect taxpayers and the tax system, the IRS must not only keep pace with, but also get ahead of, criminals and criminal organizations, as they improve their efforts to obtain personal taxpayer information.”

And that has not necessarily happened. 

Russell George, Treasury Inspector General for the Tax Administration (TIGTA) at the U.S.Treasury testified that “IRS processes and procedures to authenticate individuals requesting online access to IRS services” don’t always comply with government standards.

Authentication for users of its Get Transcript application, which allows taxpayers to request copies of old tax returns of users, and for its Identity Protection personal ID numbers (IP PIN), for example, required only single-factor authentication, such as a single password, when government standards require multifactor authentication for such high-risk applications, said George. And even the single-factor framework didn’t comply with government standards, he said.

As a result, hackers obtained access to an estimated 334,000 taxpayer accounts, according to the IRS, but George said an additional 390,000 accounts were hacked. The agency suspended Get Transcript but reactivated the use of IP PIN earlier this year even after TIGTA recommended against that before suspending it in March.

“It is unacceptable for the IRS to leave the front door open to hackers by using a weak authentication process for its Get Transcript system,” said Ron Wyden, ranking member of the committee, and then, after reactivating IP PIN, leaving “the back door open too.”

The IRS has already received $290 million to support upgrades to its system to protect against identify theft and other cybersecurity issues but has been having difficulty attracting experienced IT staffers. Wyden and Koskinen recommended that Congress renew the “streamlined critical pay authority” that makes it easier for the IRS to recruit and retain IT employees needed to strengthen its anti-hacking, anti-fraud operations and that expired in 2013. “Without that authority, our ability to replace [key employees] then is very questionable,” Koskinen said.

He explained that the agency was allotted 40 slots for cybersecurity but filled only 34 and is now down to about 13 or 14 people, of which about 10 will be gone by this time next year if nothing changes.  Even the agency’s head of its cybersecurity operations has left, said Koskinen, leaving before his term ran out.

A bipartisan bill that renews the streamlined critical pay authority was “ready to go last fall” and should move forward in the Senate Finance committee as soon as possible, said Wyden. He also called on  the committee to move forward on a bipartisan identify theft bill that gives the IRS authority to regulate private tax return preparers.

Sen. Orrin Hatch, R-Utah, concluded the hearing by noting that he hopes to continue working with colleagues on a bipartisan basis to improve cybersecurity and protect taxpayer information at the IRS.

— Check out IRS’s Top 12 Tax Scams for 2016: The ‘Dirty Dozen’ on ThinkAdvisor.