Internal Revenue Service (IRS) Commissioner John Koskinen says the information of up to 100,000 taxpayers may have been stolen in a security breach of an online tool used to apply for federal student aid. Testifying before the Senate Finance Committee, the Commissioner said the IRS identified suspicious activity in the files of people who were using a “data retrieval tool” as they filled out the Free Application for Federal Student Aid (FAFSA). FAFSA is the form the government and colleges use to determine financial aid for millions of students.
The web-based IRS data tool lets people upload tax-return information, but the IRS and Education Department disabled it in March after identity thieves tried to use personal information from it to file fraudulent tax returns. Koskinen told lawmakers that about 8,000 fraudulent refunds were issued, totaling $30 million. The IRS prevented another 14,000 illegal refunds from going out the door and halted action on 52,000 other returns. The agency is notifying about 100,000 taxpayers of the possible breach, although some of the FAFSA applications that were flagged for suspicious activity are legitimate, Koskinen said.
Security concerns about the data retrieval tool first emerged in September at the IRS, according to the agency head. Officials learned that with relatively little stolen information, identity thieves could pretend to be students, start the financial aid application, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns. The IRS alerted the Education Department in October, the same month that the FAFSA application went live. The agencies monitored the situation, but were reluctant to disable a tool that helps families avoid tedious paperwork. Commissioner Koskinen said:
We agreed with [Education officials] since we did not have, at that time, any volume of criminal activity that rather than shutting it down and add to the burden of people applying for financial aid, we, with them, would monitor that system. But I told them that as soon as there was any indication of criminal activity, we would have to take that application down.
By mid-February, the commissioner said it became clear that “there was a pattern of activity…that was clearly not consistent with people going on to actually apply for student loans.” He said that upon further review some of that activity was just students who started but failed to complete the application, while some of it was indeed criminal. Within weeks of taking the tool offline, the IRS and Education Department decided to disable it until October to put stronger protections in place.
Applicants can fill out the paper FAFSA form or use the online version and manually enter tax data. But student advocates are concerned that both of those options will lead to errors. That could lead to students being asked to verify information with additional documents, a time-consuming process that could take them out of the running for aid awarded on a first-come, first-served basis. Lawmakers have asked states to push back their financial aid deadlines in light of the shutdown, since most jurisdictions rely on the FAFSA to dispense grants. Colleges and universities typically want the FAFSA data by March to help them determine use of their own aid dollars.
Hundreds of thousands of students got an early jump on turning in the FAFSA this season because the window for submitting the form opened in October, two months earlier than usual. That gave higher education experts hope that disabling the data tool will have limited impact on students. However, many fear that low-income students, without proper guidance from parents or counselors, are still working through the application, and the outage could discourage completion.
There is an ongoing criminal investigation into the breach. The IRS briefed the Senate committee on the state of that investigation and the actions the agency has taken in response to the hack. Commissioner Koskinen said the IRS is going through documents and continuing to analyze the scope of the breach. Nevertheless, this is a most serious matter. Hopefully, the damages from this breach will be minimized to the extent possible.
Contact us today for a free legal consultation with an experienced attorney.
Fields marked *may be required for submission.
If you would like to subscribe to the Jere Beasley Report digital edition, simply visit our Subscriptions page and provide the necessary information or call us at 800-898-2034.
Attorney Advertising - Prior results do not guarantee a similar outcome.