100,000 taxpayer accounts possibly exposed in student aid online tool security breach
Thursday, April 06, 2017
It was supposed to be the annual Capitol Hill review of how the current tax filing season is going.
It was supposed to be a time for the Internal Revenue Service to shine since, as the IRS commissioner said during a public speech yesterday, it's been the smoothest filing season since he took the top job in December 2013.
Student loan tax data security concerns: While 2017 filing season specifics are good, IRS Commissioner John Koskinen also had some bad news during his testimony this morning before the Senate Finance Committee.
Personal information for up to 100,000 taxpayers may have been compromised in the security breach of the IRS Data Retrieval Tool that's used to complete the online Free Application for Federal Student Aid, or FAFSA.
Apparently, members of Congress actually got this disturbing tax cyber security news last week in closed briefing, according to the opening statement of Finance Committee Chairman Sen. Orrin Hatch (R-Utah).
But Koskinen discussed it in general terms today in the public Senate tax-writing panel session.
In addition to the overall 100,000 potentially hacked taxpayer accounts connected to the FAFSA tax data, around 8,000 fraudulent refunds actually made it through the IRS processing system.
The cost of those criminally filed fake returns? About $30 million.
On a more positive note, Koskinen said IRS filters stopped 52,000 returns that tried to use the education assistance tax data and prevented issuance of 14,000 illegal refunds.
Koskinen said that the agency has sent letters to 35,000 individuals who used the IRS Data Retrieval Tool alerting them to possible exposure of their tax data.
Hundreds of security holes: The IRS Data Retrieval tool was introduced in 2012 to help students and their families obtain higher education financial assistance.
Folks start the FAFSA process at the U.S. Department of Education's Federal Student Aid website and then the IRS tool automatically fills in the taxpayer's income data to compete the application.
When the possibility that the FAFSA-related data could be breached was originally discovered last fall, the IRS and Education Department didn't detect any indication of criminal activity, Koskinen told the Senate Finance Committee. They decided to let the system run as usual so as not to inconvenience students seeking financial aid.
By early this year, however, the IRS discovered what Koskinen called a criminal pattern. "So we shut the system down," he said.
It takes relatively little information to start the FAFSA process and then you simply let the IRS automatically fill out the rest using its data. Criminals can start the process using personal student and taxpayer data that they obtain from sources other than the IRS.
In the later part of January, Koskinen said, the agency noticed a spike in incomplete student aid applications.
Some of those could have been legitimate, he noted, with people just deciding not to go through with the student aid process.
But, said Koskinen, the IRS' position is that if it can't confidently distinguish which are real, unfinished applications and which are fake ones started simply to get the IRS to automatically add tax information, it's better to shut down the compromised tax tool.
"So out of an abundance of caution, we flagged all 100,000 accounts," the commissioner said.
The numbers may grow as IRS further analyzes the student aid tax identity theft attempt.
Hundreds of cyber security holes to plug: The FAFSA data tool is not the first IRS area to be attacked by tax identity thieves.
"After our problem with the Get Transcript [online tool] two years ago, I asked the agency to take a look at every way anyone gets either money or information out of our systems," Koskinen said in response to a question about overall tax security from Senate Finance Committee Ranking Member Sen. Ron Wyden (D-Oregon).
"I thought there might be 30 or 40. It turns out there are over 200 different ways we provide tax data to mortgage companies, finance companies [and] the department of education," the commissioner added.
Koskinen said an agency wide examination is underway to look at each of these potential cyber security breach areas and determine what can be done to secure them.
Old-school FAFSA filings: As for FAFSA, the IRS tool to facilitate those applications won't be available for the rest of this application cycle while the IRS continues its investigation.
UPDATE: On June 2, the Department of Education announced that the IRS FAFSA online income verification tool was working for certain students who apply to repay their eligible loans with income-driven repayment plans. Details in this post.
The closure, however, won't halt the FAFSA process. It will just make it a bit less convenient to apply.
You can still fill out a free student aid application online, but since there's no more automatic entry of tax data by the IRS Web tool, you'll have to complete it totally on your own.
The IRS has a special Web page with help for students and their families who are seeking the tax information necessary to fill out financial aid applications.
Steps for the FAFSA affected: As for those folks whose tax data might have been compromised by the FAFSA-related issues, be on the lookout for the IRS letter with further information and instructions.
Even if you aren't notified in connection with the security breach, keep an eye on your tax and financial data.
If you haven't already filed your 2016 tax return, you might want to do so ASAP so that your real 1040 gets processed before a crook tries to file using your FAFSA obtained data.
You also might find these items of interest:
- Giving thanks for educational tax breaks
- Fear you might be a tax ID theft victim? Here's what to do
- IRS efforts to catch cyber criminals hampered by budget cuts, investigator attrition
You can follow this conversation by subscribing to the comment feed for this post.