It hasn’t made the news much, maybe because the US Department of Education never told anyone, including Congress, and still refuses to call it a breach. But officials agree, there has been a data breach, possibly affecting 100,000 taxpayers. The breach stems from the IRS Data Retrieval Tool which imported tax information for the Free Application Federal Student Aid (FAFSA) on the US Department of Education’s website.  The IRS knew about this vulnerability in October 2016 but left the tool online and operational. *Important to note that some citizens who have recently received notification in the mail that their data was compromised in this breach, have not even used this FAFSA tool.

NOTE FROM MEW–Before we delve into the hearings, we want to remind you that the USDoE has also received failing FITARA security score (with 400 repeat incidents).  Given the track record of failing security, NOT reporting a breach, WHY should they continue to receive ANY student information, much less push for EXPANSION of data collection, a “pinterest of student data” ,  NATIONAL STUDENT TRACKING DATABASE?     We think parents should be able to consent before their child’s data is shared, marketed, profiled outside of the school. If you agree, join us in asking Congress and President Trump to put parents back in control.  Fix FERPA.

 

THE BREACH

Today, the Chief Information Officers of both USDoE and IRS were grilled for over 4 hours by legislators from the House Oversight Committee. According to a published report in The Hill,

Rep. Jim Jordan (R-Ohio) said that the IRS only notified Congress of the breach in the public testimony in April, more than a month after confirming that there was suspicious activity on the tool.

Jordan and Rep. Gerry Connolly (D-Va.) indicated that the lack of notification could constitute a violation of the Federal Information Security Modernization Act.

“The breach at the Department of Education is something that we’ve been warning about on this committee for quite some time,” Connolly said. “The Department of Education holds data on 139 million individuals.”

“It seems like it was incumbent on the Department of Education to inform us in a timely fashion,” Connolly said. “I think it’s in violation of the law. I know we’re going to pursue that more.”

 

Reviewing the FAFSA Data Breach

The House Oversight Committee hearing can be seen here, and highlights, witness testimony posted by the Committee are below.

Full House Committee on Oversight and Government Reform

Hearing Date: May 3, 2017 9:30 am 2154 Rayburn House Office Building

TAKEAWAYS:

  • The Department of Education (the Department) refuses to recognize this as a “data breach” and has not implemented solutions to fix the vulnerabilities.
  • The Treasury Inspector General for Tax Administration witness testified that individuals involved in prior criminal activity against the Internal Revenue Service (IRS) were also involved in this exploitation of the Free Application for Federal Student Aid and the Data Retrieval Tool (DRT).
  • In September of 2016, the IRS identified vulnerabilities with its DRT and did not take immediate action to encrypt and secure sensitive data.
  • FISMA requires that agencies notify Congress of a “major incident” within seven days of detection. The Department and the IRS failed to meet this legal obligation and notified Congress 38 days after the incident.

PURPOSE:

  • To examine operational and cybersecurity decisions made by the Department and the IRS regarding the security breach of the DRT.

BACKGROUND:

  • In March 2017, the Department and the IRS shut down the DRT on FAFSA.gov and StudentLoans.gov when hackers gained access to taxpayers’ adjusted gross incomes, which criminals can use to file fraudulent tax returns.
  • IRS warned the Department about this security vulnerability as early as October 2016; they continued to discuss the problem for several months until suspicious use had risen to the level that a shutdown was required.
  • Initial estimates show 120,000 taxpayers’ information impacted, and the administration of financial aid processing has been disrupted.

KEY VIDEOS:

Rep. Jody Hice (R-GA): “It appears to me at the end of the day you’re either in denial of what happened or you’re incompetent or you’re just untruthful in what’s happening here . . . the abuse that’s been inflicted on American citizens by the IRS is inexcusable and its time that there’s accountability and some change that takes place at the IRS.”

frameborder=”0″>

Chairman Mark Meadows (R-NC): At what point are we going to get [notifying Congress of data breaches] right? Because we continue to have breaches . . .and yet what happens is we’re always coming in after the fact to look at this.

frameborder=”0″>

Rep. Paul Michell (R-MI): “When you’ve got something as important as personal information from the amount of students you have, the moment in time that you think your data has been breached you have . . . a moral if not legal responsibility to notify Congress. That’s a lot of information and it wasn’t done, and its not the first time it wasn’t done.”

frameborder=”0″>

Witnesses and testimonies

Name Title Organization Panel Document
Mr. James W. Runcie Chief Operating Officer Office of Federal Student Aid, Department of Education Document
Mr. Jason K. Gray Chief Information Officer Department of Education Document
The Honorable Ken Corbin Deputy Commissioner Wage and Investment Division, Internal Revenue Service Document
Ms. Gina Garza Chief Information Officer Internal Revenue Service Document
Mr. Tim Camus Deputy Inspector General Treasury Inspector General for Tax Administration

https://oversight.house.gov/hearing/reviewing-fafsa-data-breach/

 

 

 

 

 

Cheri Kiesecker