An IRS employee stole multiple people’s identities, and used them to open illicit credit cards to fund vacations and shop for shoes and other goods, according to a complaint unsealed last week in federal court.

The complaint accuses the 35-year-old federal worker of racking up almost $70,000 in charges over the course of two years, illegally using “the true names, addresses, dates of birth, and Social Security numbers” of at least three people.

The US Treasury Department’s Inspector General for Tax Administration (TIGTA), which oversees internal wrongdoing at the IRS, is investigating the crime, although the complaint doesn’t specify how the employee obtained the information.

The arrest, however, comes just months after the Government Accountability Office—the federal government’s auditor, essentially—issued a report raising concerns about the security of taxpayer information held at the IRS. The report said that unaddressed shortcomings left taxpayer data “unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” which could allow employees or outsiders to illegally access millions of people’s personal information.

An IRS call center employee in Atlanta pleaded guilty last year to illegally using taxpayer data to file fraudulent tax returns, ultimately collecting almost $6,000. In 2016, another IRS worker in Atlanta admitted to improperly accessing the personal information of two taxpayers, amassing close to half a million dollars from illicit tax refunds.

An IRS spokesperson referred Quartz to TIGTA, which declined to provide any further information than what is available in the complaint.

Identity theft in the United States is skyrocketing. In 2018 alone, the crime cost consumers about $1.5 billion in losses, according to data from the Federal Trade Commission. More than 167,000 people that year reported that their personal information had been used to alter an existing credit card account or to fraudulently open a new one.

The IRS employee’s alleged scheme took place between January 2016 and February 2018, according to court filings. Investigators say he used a fraudulently obtained American Express card to fly to Sacramento and Miami Beach. He also used the card for some 37 Uber rides, nine payments on his father’s Amazon account totaling $1,200, various purchases at Lowe’s, the Designer Shoe Warehouse, BJ’s Wholesale Club, and a flooring outlet, as well as a $7,400 payment to a business he owned.

The complaint says the employee, who works for the tax agency as a software developer, obtained a second fraudulent credit card, which he used to fly to Montego Bay, Jamaica. A third fraudulent card was used to travel to Iceland. In a particularly brazen move, investigators say the suspect linked this card to a phony PayPal account he opened using his official IRS email address.

But the fraudster’s operational security was apparently lacking, leading investigators literally to his door. While investigators say the IRS employee opened the credit card accounts in other people’s names, he had two of the cards delivered to his home address. The third was sent to his parents’ home nearby.

The phone numbers listed on the accounts also belonged to the suspect, and he accessed emails associated with the accounts from his home IP address. According to investigators, the IRS employee made minimum monthly payments on the American Express card to keep the account open, transferring the funds from his own bank account.

“It’s pretty easy to do something like this if you have such unfettered access to other people’s [personal data],” Cedric Leighton, a 26-year US Air Force intelligence officer and an expert on insider threats, told Quartz. “But it’s also easy for [the inspector general] and other law enforcement agencies to catch a rogue insider like this.”

Leighton, who served as a deputy director of the National Security Agency, said the case “highlights the need for agencies like the IRS to tighten controls” over taxpayer data.

“They also need to do a better job of monitoring employee email traffic because it certainly contained clues that this IRS employee had gone rogue,” he said.