WASHINGTON The personal data of about 20,000 U.S. Internal Revenue Service employees going back to 2007 or earlier may have been exposed on the Internet, but no general taxpayer information or records were part of the security breach, the agency said on Tuesday.
IRS Commissioner John Koskinen said in a statement that an unencrypted thumb drive containing the information was plugged into an employee's unsecured home network, making the information potentially accessible to third parties online.
He said the drive contained "sensitive personnel information, including names, Social Security numbers and addresses, of some employees, former employees and contracted employees."
Koskinen said: "At this point, we have no direct evidence to indicate this personal information has been used for identity theft or other inappropriate uses."
The 20,000 employees worked in Pennsylvania, New Jersey and Delaware, the IRS said.
Representative Dave Camp, the Republican who chairs a congressional panel that oversees the IRS, said: "The IRS has repeatedly broken the American people's trust, and the Ways and Means Committee will take a thorough look into this incident."
(Reporting by Patrick Temple-West; Editing by Kevin Drawbaugh and Amanda Kwan)