100,000 federal student aid applicants at risk of identity theft after IRS breach
Internal Revenue Service (IRS) Commissioner John Koskinen admitted that information from student financial aid applicants may have been stolen by hackers, including names, birth dates and Social Security numbers, during testimony to the Senate Finance Committee on Thursday.
Koskinen said the problem came from a “data retrieval tool” that gave millions of student loan applicants the ability to upload their tax information from a federal return to a Free Application for Federal Student Aid (FAFSA) online.
The IRS examined 200 different ways that taxpayer information could be accessed. The agency found that hackers could easily breach the system using an e-file PIN. All they needed to sign on was a taxpayer’s Social Security number, name and address.
“And of course social security numbers can be bought online for $10 by organized criminals,” Koskinen said, adding that by February, the IRS saw “a pattern of activity…that was clearly not consistent with people going on to actually apply for student loans.”
“It was clear that some of the activity was legitimate students, some of it was criminals,” Koskinen testified.
In March, the data retrieval tool was shut down for security reasons, and a new system was enacted where taxpayers were required to enter their last year’s adjusted gross income.
"While this tool provides an important convenience for applicants, we cannot risk the safety of taxpayer data. Protecting taxpayer data has to be the highest priority, and we will continue working with FSA to bring this tool back in a safe and secure manner,” Koskinen said in a statement issued last Thursday.
When Senator Ron Wyden (D-Oregon) asked if the number of FAFSA applicants who had their information hacked could be higher than 100,000, the commissioner replied, “The number may grow, although we've continued to look at it and analyze it, ours -- at this point, all of the analytics with the Department of Education shows that the pool is about 100,000.”
He says that IRS filters stopped an estimated 52,000 returns from being processed, with 14,000 of those identified as illegal returns "that didn't get out the door, but were there." Less than 8,000 fraudulent tax returns were actually processed.
Koskinen told lawmakers that the IRS will notify all 100,000 taxpayers who may be at risk, with 35,000 letters already sent to potential victims.
There is currently an ongoing criminal investigation into the breach.