December 17,2020

Grassley, Wyden Request Immediate IRS Briefing on Whether Taxpayer Data Was Compromised in SolarWinds Hack

WASHINGTON – Senate Finance Committee Chairman Chuck Grassley (R-Iowa) and Senate Finance Committee Ranking Member Ron Wyden (D-Ore.) today requested IRS Commissioner Chuck Rettig provide an immediate briefing on whether taxpayer data was compromised in the SolarWinds hack.
 
“The IRS appears to have been a customer of SolarWinds as recently as 2017. Given the extreme sensitivity of personal taxpayer information entrusted to the IRS, and the harm both to Americans’ privacy and our national security that could result from the theft and exploitation of this data by our adversaries, it is imperative that we understand the extent to which the IRS may have been compromised,” the senators wrote. “It is also critical that we understand what actions the IRS is taking to mitigate any potential damage, ensure that hackers do not still have access to internal IRS systems, and prevent future hacks of taxpayer data.”
 
Text of the letter follows:
 
We write to express our deep concern about recent reports that several federal government agencies have been compromised by sophisticated hackers. According to these reports, this hacking operation is historic in scope, and has seemingly affected not only the Treasury Department, of which the Internal Revenue Service is the largest bureau, but the Commerce Department, State Department, Department of Homeland Security, National Institutes of Health, and parts of the Pentagon.
 
On Sunday, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01. According to CISA, SolarWinds Orion products are currently being exploited by malicious actors, presenting a “high potential for compromise of agency information systems,” and a successful compromise would have a “grave impact” on federal networks. Agencies have been instructed by CISA to immediately power down SolarWinds Orion products and then hunt for signs of further compromise
 
The IRS appears to have been a customer of SolarWinds as recently as 2017. Given the extreme sensitivity of personal taxpayer information entrusted to the IRS, and the harm both to Americans’ privacy and our national security that could result from the theft and exploitation of this data by our adversaries, it is imperative that we understand the extent to which the IRS may have been compromised. It is also critical that we understand what actions the IRS is taking to mitigate any potential damage, ensure that hackers do not still have access to internal IRS systems, and prevent future hacks of taxpayer data.
 
We request an immediate briefing on the IRS’ efforts to discover whether its systems were breached, and if they were, whether sensitive taxpayer information was stolen.