In a scathing report published on March 27, 2017, the Treasury Inspector General for Tax Administration blasted the Internal Revenue Service (IRS) following its analysis of the IRS’ steps following a data breach in 2015 that resulted in the theft of over 330,000 documents that were used in the filing of fraudulent tax returns.

According to the report, the IRS ignored warnings that its PIN application was compromised, failed to disable it as the Treasury Inspector General suggested, and failed to develop or implement an effective strategy to mitigate the continued filing of fraudulent tax returns. The strategy employed by the IRS was to keep the PIN application running and to manually review tax returns filed with an IP PIN. But when the Inspector General audited the process, it discovered that of the 33,000 tax returns filed between January and May of 2016, only 12,000— representing around 38 percent of the total, had not been reviewed at all. The report indicates that the IRS paid out $42.4 million in refunds to the 12,000 returns that weren’t checked.