Internal Revenue Service Commissioner John Koskinen said Thursday the information of up to 100,000 taxpayers may have been stolen in a security breach of an online tool used to apply for federal student aid.
Testifying before the Senate Finance Committee, Koskinen said the IRS identified suspicious activity in the files of people who were using a “data retrieval tool” as they filled out the Free Application for Federal Student Aid. FAFSA is the form the government and colleges use to determine financial aid for millions of students.
The web-based IRS data tool lets people upload tax-return information, but the IRS and Education Department disabled it in March after identity thieves tried to use personal information from it to file fraudulent tax returns. Koskinen told lawmakers that about 8,000 fraudulent refunds were issued, totaling $30 million. The IRS prevented another 14,000 illegal refunds from going out the door and halted action on 52,000 other returns.
The agency is notifying about 100,000 taxpayers of the possible breach, although some of the FAFSA applications that were flagged for suspicious activity are legitimate, Koskinen said.
Security concerns about the data retrieval tool first emerged in September at the IRS, according to the agency head. Officials learned that with relatively little stolen information, identity thieves could pretend to be students, start the financial aid application, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns. The IRS alerted the Education Department in October, the same month that the FAFSA application went live. The agencies monitored the situation, but were reluctant to disable a tool that helps families avoid tedious paperwork.
“We agreed with [Education officials] since we did not have, at that time, any volume of criminal activity that rather than shutting it down and add to the burden of people applying for financial aid, we, with them, would monitor that system,” Koskinen said. “But I told them that as soon as there was any indication of criminal activity, we would have to take that application down.”
By mid-February, Koskinen said it became clear that “there was a pattern of activity…that was clearly not consistent with people going on to actually apply for student loans.” He said that upon further review some of that activity was just students who started but failed to complete the application, while some of it was indeed criminal. Within weeks of taking the tool offline, the IRS and Education Department decided to disable it until October to put stronger protections in place.
Applicants can fill out the paper FAFSA form or use the online version and manually enter tax data. But student advocates worry that both of those options will lead to errors. And that could lead to students being asked to verify information with additional documents, a time-consuming process that could take them out of the running for aid awarded on a first-come, first-serve basis. Lawmakers have asked states to push back their financial aid deadlines in light of the shutdown, since most jurisdictions rely on the FAFSA to dispense grants. Colleges and universities typically want the FAFSA data by March to help them divvy up their own aid dollars.
Hundreds of thousands of students got an early jump on turning in the FAFSA this season because the window for submitting the form opened in October, two months earlier than usual, giving higher education experts hope that disabling the data tool will have limited impact on students. Still, many fear that low-income students without proper guidance from parents or counselors are still working through the application, and the outage could discourage completion.
There is an ongoing criminal investigation into the breach. Last week, the IRS briefed the Senate committee on the state of that investigation and the actions the agency has taken in response to the hack. Koskinen said the IRS is combing through documents and continuing to analyze the scope of the breach.