FAFSA Tool Vulnerability May Have Exposed 100K Individuals’ Personal Info

Image courtesy of tuna bites

The Free Application for Federal Student Aid is a bit cumbersome, so the Department of Education tried to ease that burden by creating a tool that automatically filled in an applicant’s previous year’s tax information. That tool was suddenly taken offline last month over concerns about data security, and now we have some idea of how many applicants may have had their information exposed.

The New York Times reports that the personal information of as many as 100,000 consumers may have been compromised when hackers used the Data Retrieval Tool to generate tax information and then fill out fraudulent tax returns.

The Data Retrieval Tool was introduced by the Department of Education as an attempt to streamline the FAFSA process. The tool allows families filling out the FAFSA forms to retrieve their tax information directly from the Internal Revenue Service.

IRS commissioner John Koskinen revealed more details of the hack, which was first uncovered in March, during a Senate Finance Committee Hearing on Thursday.

The breach was allegedly facilitated by hackers who posed as students using the Data Retrieval Tool to apply for federal financial aid. Koskinen believes that about 8,000 fraudulent returns were filed and processed through the scheme.

Koskinen told the Committee that the agency has already sent letters to about 35,000 taxpayers explaining that their personal information may be at risk and plans to contact all 100,000 potentially affected consumers.

The IRS shut down the tool in March, and the Dept. of Education announced recently that the tool would remain unavailable until the fall of 2017, in order to allow additional protections to be implemented.

“Fortunately we caught this at the front end,” Koskinen said during the hearing, as reported by the Times. “Our highest priority is making sure that we protect taxpayers and their identity,” he said.

The Times reports the IRS became aware of possible issues with the tool last fall. When asked why it took several more months before the tool was disabled, Koskinen told the Committee that the agency didn’t want to cut off the tool for millions of consumers before there was adequate evidence to support the hack.