IRS Error Leads to Publishing Confidential Data From 120,000 Taxpayers

On September 2, 2022, the IRS announced the accidental release of around 120,000 taxpayers’ confidential information. The breach occurred regarding information found on IRS Form 990-T. Tax-exempt entities use this form to file income taxes on income earned from investments unrelated to their exempt classification.

What Happened?

On August 26, 2022, the IRS discovered the data from Form 990-T, made available for bulk download in XML (machine-readable) format, was accidentally made public. The section that housed the information, the Tax Exempt Organization Search (TEOS), is used by entities that can access machine-readable data, so other areas of the 990-T form were unaffected.

The IRS attributes the mistake to a human coding error last year when Form 990-T switched from paper-only to electronic filing. An IRS employee discovered the publication of the confidential data, and the IRS immediately took steps to remove the information.

Who is Affected By the Breach?

Businesses, entities, and organizations that use Form 990-T are affected by the incident. These include tax-exempt organizations, retirement accounts, and government entities.

The IRS reported that the published data did not include detailed taxpayer information, Social Security numbers, individual income tax return information, or other data that can affect taxpayers’ credit. However, it does contain business contact information and individual names.

What Steps is the IRS Taking to Resolve the Issue?

The IRS immediately removed the errantly published material from IRS.gov and plans to replace the files in the next few weeks. The IRS is also contacting all taxpayers whose information was posted to advise them of the situation.

Per the Federal Information Security Modernization Act (FISMA) and guidelines outlined by the Office of Management and Budget (OMB), the IRS alerted the public of the publishing error within seven days of its occurrence.

Due to the number of people affected, over 100,000, the IRS considers the error a major incident. Under these circumstances, the IRS is required to disclose the error for 501(c)(3) organizations. It has also disclosed the breach for the subset of non-501(c)(3) filers also affected.