Data breach of IRS student financial aid tool may have affected 100,000 taxpayers

A data breach in the Internal Revenue Service’s Free Application for Federal Student Aid, or FAFSA, tool, which the IRS was forced to shut down last month, may have affected up to 100,000 taxpayers.

The IRS shut down the tool last month when it noticed suspicious activity occurring (see IRS student loan link goes dark).

Andrew Harrer/Bloomberg

In early April, the IRS started mailing notifications about the breach to some 100,000 taxpayers who may potentially have been affected, though Commissioner John Koskinen testified before the Senate Finance Committee last week that the service believes that fewer than 8,000 fraudulent returns were processed (see IRS chief reports to Congress about tax season amid new push for his ouster). Up to $30 million in refunds were issued before the tool was shut down.

“Student financial aid is another area where we have concerns about the potential for unauthorized attempts at obtaining taxpayer information,” said Koskinen. “We have been working with the Department of Education to secure the online process through which student financial aid applicants obtain their family’s financial information, which they need in order to complete the Free Application for Federal Student Aid (FAFSA) or apply for an income-driven repayment (IDR) plan for their student loans. As part of this effort, in early March we disabled our IRS Data Retrieval Tool (DRT) found on the fafsa.gov website after we became concerned about the misuse of taxpayer data by criminals masquerading as students. Our IT, cybersecurity and privacy experts spent the next three weeks working with their counterparts in the office of Federal Student Aid (FSA) to find a way to secure the data provided to applicants for financial aid.”

“Fortunately, we caught this at the front end," Koskinen said, according to The New York Times. "Our highest priority is making sure we protect taxpayers and their identity.”

The IRS posted a questions and answers page on its website to help provide further information about the suspicious activity found on its data retrieval tool and the FAFSA form.

Security experts believe more government entities should be sharing information about tax fraud and security breaches. “You have to have some sort of alert system,” said Haywood “Woody” Talcove, CEO of the government unit at the technology company LexisNexis Risk Solutions, which provides tax security services to some state governments. “The other part that needs to start happening is data sharing. Once you identify a bad entity, it needs to be shared as quickly as possible.”