Full Report
Erin Schilling and Erin Slowey report: The IRS’ improper disclosure of thousands of immigrants’ personal information to the Department of Homeland Security fulfilled early warnings that the data-sharing deal between the agencies would put taxpayer data at risk. The IRS and DHS in April 2025 agreed to share data of immigrants to help with criminal... Source
Analysis Summary
# Incident Report: Improper IRS Disclosure of Taxpayer Data to DHS
## Executive Summary
The Internal Revenue Service (IRS) improperly disclosed the personal address information of thousands of immigrants to the Department of Homeland Security (DHS) / Immigration and Customs Enforcement (ICE). This incident stemmed from a failure to adhere to the strict data-sharing limitations set forth in a 2025 inter-agency agreement, resulting in the unauthorized release of sensitive taxpayer data. The breach highlights significant risks associated with automated government data-sharing programs and the legal complexities of Section 6103 of the Internal Revenue Code.
## Incident Details
- **Discovery Date:** February 11, 2026 (Wednesday prior to reporting)
- **Incident Date:** April 2025 to February 2026
- **Affected Organization:** Internal Revenue Service (IRS)
- **Sector:** Government / Federal
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** April 2025
- **Vector:** Authorized Inter-agency Data Sharing Agreement
- **Details:** The IRS and DHS entered into a formal agreement to share immigrant data for non-tax criminal investigations, specifically to verify addresses provided by ICE.
### Lateral Movement
- **N/A:** This was not a network intrusion. The "movement" occurred via authorized API or data transfer channels established between the IRS and DHS/ICE systems.
### Data Exfiltration/Impact
- After ICE requested verification for 1.28 million addresses, the IRS successfully verified 47,289 individuals.
- For approximately 5% of verified individuals (est. 2,300+ people), the IRS overshared data by providing new or complete address information that ICE did not previously possess, violating the "matching-only" restriction.
### Detection & Response
- **Discovery:** Internal audit or disclosure by the agency (announced Wednesday, Feb 11, 2026).
- **Response Actions:** The IRS publicly acknowledged the oversharing error and identified it as a violation of privacy law limitations.
## Attack Methodology
- **Initial Access:** Valid administrative agreement and data sharing protocols.
- **Persistence:** Ongoing automated data matching processes.
- **Privilege Escalation:** Not applicable; the system exceeded its intended functional logical bounds.
- **Defense Evasion:** Not applicable; the breach was caused by operational error rather than malicious evasion.
- **Credential Access:** Not applicable.
- **Discovery:** Automated database queries against taxpayer records.
- **Lateral Movement:** Authorized data transfer between agencies.
- **Collection:** Programmatic extraction of taxpayer address data.
- **Exfiltration:** Improper data transfer to an external agency (DHS/ICE).
- **Impact:** Compromise of taxpayer confidentiality and violation of Section 6103.
## Impact Assessment
- **Financial:** Unknown; potential for legal costs or administrative fines.
- **Data Breach:** Sensitive address information for thousands of immigrants.
- **Operational:** Potential suspension or overhaul of the IRS-DHS data-sharing program.
- **Reputational:** High; confirms early warnings that data-sharing deals put vulnerable populations at risk.
## Indicators of Compromise
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Abnormal data export volumes or fields in automated IRS-to-DHS response logs; inconsistencies between "Verification Only" flags and "Data Provided" flags.
## Response Actions
- **Containment:** Disclosure of the error to the public and potentially to the impacted oversight committees.
- **Eradication:** Correction of the software logic or manual processes that allowed "oversharing" instead of simple "verification."
- **Recovery:** Review of the 47,289 records to identify the specific individuals whose data was improperly handled.
## Lessons Learned
- **Key Takeaways:** Data matching agreements require strict technical "guardrails" to prevent partial matches from turning into full data disclosures.
- **Failure Point:** The system provided ICE with *incomplete* information it didn't already have, rather than merely confirming what it did have.
## Recommendations
- **Strict Data Minimization:** Implement hard-coded logic that restricts IRS outputs to "Match/No Match" results only, precluding the possibility of sending actual data strings.
- **Independent Auditing:** Require third-party or Inspector General (TIGTA) review of code and data flows before activating inter-agency sharing.
- **Privacy Impact Assessment (PIA):** Conduct a revised PIA to address the specific failure of the 2025 agreement.