The Internal Revenue Service (IRS) unintentionally posted some private individuals’ tax information on its website last week before taking it down, officials said in a letter to Congress on Friday that was obtained by The Wall Street Journal.
Anna Canfield Roth, the acting assistant secretary for management in the Treasury Department, said in the letter to Rep. Bennie Thompson (D-Miss.), the chairman of the House Committee on Homeland Security, that the IRS determined that some machine-readable Form 990-T data was made available for bulk download last Friday, Aug. 26.
The Journal, which first reported the news, stated that the letter also went to other key members of Congress.
The letter states that the IRS took immediate action to address the issue once it was noticed.
The agency said it has removed the files from the website and will replace them with updated files in the coming weeks. It will also work with groups that routinely use the files to remove the erroneous files and replace them with correct versions as they become available.
The IRS plans to contact all filers who were impacted in the coming weeks.
The agency determined that “limited” information for about 120,000 people was posted, but the data did not include Social Security numbers, individual income information, detailed financial account data or other “sensitive” information that could impact their credit.
The data did include some individual names or business contact information in some cases.
The IRS said in a statement that it is required to disclose the information that 501(c)(3) organizations, which are tax-exempt, files related to income generated from certain investments or income unrelated to their exempt status. But similar information was published for a subset of non-501(c)(3) organizations, which are not subject to public disclosure.
The letter states that the agency is continuing to review the situation, and the Treasury Department directed the IRS to conduct a “prompt review” of its practices to ensure necessary guards are in place to prevent future unauthorized disclosures.
Officials will provide additional information, including summaries of the detection, response and remediation activities within 30 days, according to the letter.
Updated on Tuesday, Sept. 6, at 12:44 p.m.