Notification Process Breaks Down After FAFSA Breach

(Photo: Shutterstock)

In early March, the Internal Revenue Service shut down the Data Retrieval Tool that students use to apply for financial aid after the agency learned of a potential data breach.

Although the law requires Federal agencies to inform Congress of such breaches within seven days of their occurrence, Congress first learned of the incident on April 6. The Data Retrieval Tool is part of the Department of Education’s Free Application for Federal Student Aid website, and its breach compromised 100,000 taxpayers’ information.

Jason Gray, chief information officer of Education, admitted at a House Committee on Oversight and Government Reform hearing on May 3 that the agency should have informed Congress of the incident at the same time it alerted the United States Computer Emergency Readiness Team and the inspector general.

“We went through our incident response process. Our IG was notified after US-CERT,” Gray said. “In hindsight, it was important enough to notify Congress.”

Rep. Gerry Connolly, D-Va., expressed disappointment in both IRS and Education, stating that the agencies needed to follow the law even if they doubted the severity of the breach and followed interagency incident response protocol.

“The Department of Education may very well be in breach of law,” Connolly said. “We don’t have traffic laws that allow you to decide you didn’t hurt anyone if you’re speeding. The law is there for a reason. It was incumbent of the Department of Education to inform us in a timely fashion. I frankly think it’s a disservice to the people whose data you possess and I think it’s a violation of the law.”

Education knew about vulnerabilities in their system prior to the breach. IRS warned the department about cyber concerns in October 2016. Gina Garza, CIO of IRS, said her agency did not shut down the Data Retrieval Tool last fall because there was no evidence of data loss or fraud at that time. Only when an IRS employee received a courtesy notification email that their information may have been compromised was the incident detected.

The hackers’ aim during the March breach was taxpayers’ adjusted gross incomes, which could be used to file fraudulent tax returns. Because this attack threatened 100,000 people’s financial information, Garza said IRS has started working with Education to increase security measures on the FAFSA site.

“We’ve started to work with Education. We increased monitoring on the application,” Garza said. “We have multilayer defense mechanisms. Protecting taxpayer data is our top priority.”

Tim Camus, deputy inspector general of the Treasury Inspector General for Tax Administration, said that the attack signifies a widespread, determined criminal element that pays close attention to electronic tax administration. For example, the IRS e-file pin application was exploited in January 2016, a year before IRS noticed unusual activity on FAFSA’s data tool.

Education and IRS’s efforts to rectify the damage from the FAFSA breach have been sluggish, according to several members of the House Oversight Government Reform Committee. Rep. Jamie Raskin, D-Md., said he receives daily complaints from constituents who think student loan systems are a scam. He described the agencies’ sense of correction as “one of passivity.”

“These are young people’s lives at stake,” said Rep. Mark Walker, R-N.C. “I hope there’s more of a sense of urgency to deal with this issue than there seems to be at this time.”

The Data Retrieval Tool is scheduled to be restored in late May or June. Until then, Rep. Darrell Issa, R-Calif., said Education could benefit from a holistic look at points of weakness within the entire agency. He compared Education to a car whose front wheel almost came off and whose driver did nothing to fix it because the wheel did not fall off completely.

“I want to know how somebody above you is looking at the entire vehicle,” Issa said. “Resolve the thinking that the failure of one part of the whole is not resolved by everybody.”

The Data Retrieval Tool breach and slow efforts to resolve it are part of a larger problem throughout the entire Federal government, according to Rep. Virginia Foxx, R-N.C.

She said incompetence and a lack of accountability caused and continue to plague cleanup of the FAFSA breach.

“Either you’re in denial or incompetent. I think the American people watching this are feeling the same way. I want us to go after any bad actors, but our No. 1 priority is to protect the American people,” Foxx said. “All Americans are affected by the IRS. The problem we have with government agencies is there’s no accountability. And that is a shame, that you all can continue incompetence and not be held responsible.”

Recent