Congressional Committee questions US Dept of Ed and IRS over Data Breach
It hasn’t made the news much, maybe because the US Department of Education never told anyone, including Congress, and still refuses to call it a breach. But officials agree, there has been a data breach, possibly affecting 100,000 taxpayers. The breach stems from the IRS Data Retrieval Tool which imported tax information for the Free Application Federal Student Aid (FAFSA) on the US Department of Education’s website. The IRS knew about this vulnerability in October 2016 but left the tool online and operational. *Important to note that some citizens who have recently received notification in the mail that their data was compromised in this breach, have not even used this FAFSA tool.
NOTE FROM MEW–Before we delve into the hearings, we want to remind you that the USDoE has also received failing FITARA security score (with 400 repeat incidents). Given the track record of failing security, NOT reporting a breach, WHY should they continue to receive ANY student information, much less push for EXPANSION of data collection, a “pinterest of student data” , NATIONAL STUDENT TRACKING DATABASE? We think parents should be able to consent before their child’s data is shared, marketed, profiled outside of the school. If you agree, join us in asking Congress and President Trump to put parents back in control. Fix FERPA.
Today, the Chief Information Officers of both USDoE and IRS were grilled for over 4 hours by legislators from the House Oversight Committee. According to a published report in The Hill,
Rep. Jim Jordan (R-Ohio) said that the IRS only notified Congress of the breach in the public testimony in April, more than a month after confirming that there was suspicious activity on the tool.
Jordan and Rep. Gerry Connolly (D-Va.) indicated that the lack of notification could constitute a violation of the Federal Information Security Modernization Act.
“The breach at the Department of Education is something that we’ve been warning about on this committee for quite some time,” Connolly said. “The Department of Education holds data on 139 million individuals.”
“It seems like it was incumbent on the Department of Education to inform us in a timely fashion,” Connolly said. “I think it’s in violation of the law. I know we’re going to pursue that more.”
Reviewing the FAFSA Data Breach
The House Oversight Committee hearing can be seen here, and highlights, witness testimony posted by the Committee are below.
Witnesses and testimonies
|Mr. James W. Runcie||Chief Operating Officer||Office of Federal Student Aid, Department of Education||Document|
|Mr. Jason K. Gray||Chief Information Officer||Department of Education||Document|
|The Honorable Ken Corbin||Deputy Commissioner||Wage and Investment Division, Internal Revenue Service||Document|
|Ms. Gina Garza||Chief Information Officer||Internal Revenue Service||Document|
|Mr. Tim Camus||Deputy Inspector General||Treasury Inspector General for Tax Administration|