WASHINGTON — The Internal Revenue Service handed U.S. Immigration and Customs Enforcement the last known addresses of nearly 47,000 people under a data-sharing deal struck last year, but it did so using a matching process that government auditors found could not identify records “accurately and consistently,” and it sent some of that information to an agency that had not met federal standards for protecting taxpayer data.
That is the conclusion of a final evaluation report issued June 4, 2026, by the Treasury Inspector General for Tax Administration, the independent watchdog known as TIGTA that oversees the IRS. The report, numbered 2026-IE-R010, examined how the IRS carried out a Memorandum of Understanding it signed with the Department of Homeland Security on behalf of ICE.
The numbers tell the core of the story.
In a letter dated June 27, 2025, ICE asked the IRS for the last known addresses of more than 1.2 million individuals. According to the report, the IRS ultimately provided address information for approximately 47,000 records, a figure TIGTA’s own analysis put at 47,289, corresponding to roughly 46,965 individuals.
The rest of ICE’s request went nowhere. The report’s data breakdown shows that 25,253 records were rejected for not meeting the agreement’s criteria, and a further 1,204,922 records simply did not match IRS records at all. In the report’s own summary phrase, “Most ICE Data Did Not Match IRS Records.” Put differently, the overwhelming majority of the people on ICE’s list could not be matched to an IRS address.
The auditors were concerned about the quality of the IRS’s matching system. “The criteria were unable to identify and match the records accurately and consistently,” the report states. The IRS designed an automated process that, in places, required an exact match to the data ICE supplied — but the auditors found that approach buckled under messy, inconsistent data.
Why did the matching fail
The report devotes a section to the technical breakdown, and the examples are revealing. The data ICE provided “had no uniform formatting,” the auditors wrote. Addresses arrived crammed into a single field, sometimes missing street numbers, city, or state. Names came in inconsistent forms — one name, two names, an initial, or some combination, separated by hyphens, spaces, or nothing at all.
Because the IRS’s filters demanded near-exact matches, trivial differences broke them. The report lists address variations that failed to match, including “AVE vs. AVE” and “STREET vs. ST.” On the name side, “JOHN MICHAEL DOE” would not match “JOHNMICHAEL DOE.” The consequence cut both ways: some genuine matches were missed, while some invalid records slipped through.
On that second point, the report found the IRS’s validation was thin. The process essentially checked that an address field was not blank and contained a five- or nine-digit number that “could be considered a ZIP code,” but it built no filter to weed out non-ZIP codes. As a result, the auditors identified addresses that the IRS treated as valid and passed to ICE, but that were plainly unusable. The report’s examples include entries reading “REFUSED TO PROVIDE U.S. ADDRESS” and “FAILED TO PROVIDE U.S. ADDRESS,” along with placeholder ZIP codes such as 99999 and 00000.
After TIGTA raised these concerns with IRS officials in November and December 2025, the IRS manually reviewed what it had sent and confirmed the auditors’ findings. On February 11, 2026, the IRS’s Chief Risk and Control Officer filed a declaration in related litigation acknowledging that the agency may have supplied last-known addresses to ICE when ICE-provided address information was incomplete or insufficient. The IRS estimated that fewer than 5 percent of the 47,289 individuals it matched had potentially incomplete or insufficient address information. IRS officials stated that they provided only the last known address and shared no other tax information.
The security gap
Beyond the matching problems, the report flags a separate and serious issue: ICE had not satisfied the IRS’s own data-security requirements before the agreement was signed.
The IRS conducts what it calls a safeguard review of any agency that receives federal tax information, then issues a Safeguard Review Report documenting any findings. The report states that, for ICE, a number of those findings — the specific count is redacted — “remained open at the time of the data transfer.” The auditors noted that ICE had not submitted a Corrective Action Plan to address those findings before signing the April 2025 agreement, and that ICE had failed to file required semiannual corrective action plans due in January 2024, July 2024, and January 2025.
When ICE did submit a plan in July 2025, the report states, it “provided no implementation date for when these actions would be completed.” A scheduled triennial safeguard review of ICE, set for April 13, 2026, was postponed due to a partial government shutdown that furloughed the DHS team responsible for it. As of May 2026, the report says, ICE had not provided its updated January 2026 corrective action plan.
The auditors warned of the stakes in measured language: “Without assurance that findings have been mitigated, there is a potential risk that ICE could fail to properly safeguard taxpayer data received from the IRS.”
The legal backdrop
The data-sharing arrangement traces to two executive orders issued in early 2025 — one directing DHS to move quickly to remove certain noncitizens, and another aimed at breaking down barriers to interagency data sharing. The Treasury and Homeland Security secretaries signed the Memorandum of Understanding on April 7, 2025, citing an exception in Internal Revenue Code Section 6103(i)(2) that permits the IRS to disclose certain non-tax return information to aid criminal investigations.
The report notes plainly that IRS officials had reservations. News media reported that IRS officials “were concerned about developing and signing the data-sharing agreement,” primarily over the arrangement’s legality.
Those legal questions remain live. The report lists three lawsuits filed in federal court. In one, Centro de Trabajadores Unidos v. Bessent, a judge in May 2025 declined to block the data sharing, and an appeals court upheld that denial in February 2026. But in another, Center for Taxpayer Rights v. IRS, a court in November 2025 temporarily barred the IRS from sharing further return information with DHS except in strict compliance with the law, finding, in the report’s words, that the IRS’s “unlawful conduct has created a substantial likelihood that plaintiffs and their members will suffer irreparable harm.” A third case was filed in the United States District Court for the District of Massachusetts in September 2025.
The IRS told the auditors it notified DHS on January 23, 2026, of the address-matching problems and asked for help fixing them. Pending the lawsuits, the report states, DHS and ICE confirmed they “will not inspect, view, use, copy, distribute, rely on, or otherwise act on the IRS data provided.”
What the watchdog recommended
Notably, the report makes no formal recommendations. The auditors explained that they have separate, ongoing reviews of the IRS’s broader data-sharing practices and that they plan to share their concerns about ICE’s security findings with the DHS Office of Inspector General. The evaluation, signed by Deputy Inspector General Nancy A. LaManna, was framed around what TIGTA called a major management challenge: “Protecting Taxpayer Data.”
The report grounds that concern in a principle it states directly: taxpayers “have the right to expect that any information they provide to the IRS will not be disclosed unless authorized by the taxpayer or by law.”
This article was originally written in English. The French and Haitian Creole versions were produced using AI translation software; errors may occur, and the English version is authoritative. CTN also uses AI to convert text to audio.
https://ctninfo.com/of-1-2-million-r…tion-enforcement/
https://www.facebook.com/CaribbeanNewsMedia
