IRS Student Loan Application Program Breach Affecting up to 100,000 Taxpayers

On April 6, 2017, IRS Commissioner John Koskinen testified during a Senate Finance Committee meeting that the personal data of up to 100,000 taxpayers may have been compromised by hackers accessing both students’ and parents’ tax information through the Data Retrieval Tool (DRT), a free application for federal student aid data retrieval connected with the Free Application for Federal Student Aid (FAFSA). Obtaining such information allowed these hackers to file fraudulent tax returns and steal refunds.

The last breach of this magnitude occurred in 2015, when outside hackers gained access to over 300,000 tax returns, stealing data and initiating fraudulent returns. In the fall of 2016, the IRS recognized the possibility of a similar threat after noticing that hackers could take advantage of the DRT program which contained both students’ and parents’ tax information and personal data. The IRS did not shut down the program upon first recognizing this potential weakness, but continued to monitor this risk and shut down the DRT in March after noticing patterns and activity that appeared out of the ordinary.

When questioned why the IRS did nothing to disable the program last fall when initial signs of criminal activity were first noticed, IRS Commissioner Koskinen testified that he did not want to cut off a tool that millions of financial aid applicants use before clear foul play was evident. Commissioner Koskinen further testified that the DRT likely will be unavailable until additional security measures are implemented in October.

While the exact number of those affected remains unknown, the IRS believes fewer than 8,000 fraudulent returns were filed and processed as a result of this criminal activity. IRS investigators identified approximately 14,000 fraudulent returns before refunds were issued, and another 52,000 filings were halted in order to review and analyze the potential for criminal hacking activity. Until this issue has been resolved, students and parents must rely on “analog” devices for inputting data, i.e., paper FAFSA application.


Leave a Reply

Next ArticleApril Brings Showers … and Changes to State Data Breach Notification Laws