As Fafsa Tool Outage Continues, Lawmakers Investigate Why It Happened

The Internal Revenue Service’s data-retrieval tool will be back online for borrowers in income-driven repayment plans by the end of the month, James W. Runcie, chief operating officer of the Education Department’s Federal Student Aid office, told a U.S. House committee on Wednesday.

As Fafsa Tool Outage Continues, Lawmakers Investigate Why It Happened

By Adam Harris

The Internal Revenue Service’s data-retrieval tool will be back online for borrowers in income-driven repayment plans by the end of the month, James W. Runcie, chief operating officer of the Education Department’s Federal Student Aid office, told a U.S. House committee on Wednesday. But he offered no respite to those who would like to use the tool to fill out the Free Application for Federal Student Aid, the Fafsa, as it will continue to be offline, for them, until October.

The tool mysteriously and abruptly went offline on March 3. It was later revealed that the tool’s absence stemmed from a breach that may have affected the data of up to 100,000 people. The IRS estimates that 8,000 potentially fraudulent claims led it to issue tax refunds amounting to more than $30 million. Wednesday’s hearing, of the Committee on Oversight and Government Reform, sought to uncover how the breach of the tool had occurred, but ultimately, it raised more questions than it answered.

Lawmakers in both the House and the Senate have pushed the IRS and the Education Department to hasten the process of getting the tool back online for both Fafsa applicants and people in income-driven repayment plans.

On Monday, Sen. Lamar Alexander, Republican of Tennessee, and Sen. Patty Murray, Democrat of Washington, requested weekly staff briefings on the status of the tool in a letter to Betsy DeVos, the education secretary. The two senators, who serve as the chair and ranking member, respectively, of the chamber’s education committee, also asked that the department create an action plan to reinstate the tool before the previously stated deadline of October.

“It’s definitely a good sign that they are working to put the … tool back online as quickly as possible,” said Clare McCann, a senior policy analyst at New America, in an interview with The Chronicle. But it’s bad news for the millions of Fafsa filers who won’t be able to use the tool — which makes the process much easier because it imports existing tax data — to file the student-aid form, she said.

The Path Not Taken

Some legislators on the committee argued a different point, echoing the written statement of Justin S. Draeger, president of the National Association of Student Financial Aid Administrators. “Perhaps most troubling” about the current status of the tool, he argued, “is the fact that this situation could have been avoided with better decision making in September 2016, when the potential for abuse of the DRT was first identified.”

Why, they asked, was something not done sooner?

Gina Garza, chief information officer at the IRS, told the committee that her agency “took immediate action” and that no data was lost in September, when an attempt was made to view the tax data of an individual using the tool. The IRS began working with the Department of Education in October to strengthen authentication measures in the system.

The Federal Student Aid office “sought to determine the best approach to minimize the vulnerability” — that the IRS had identified — “without causing major disruption to students, parents, and borrowers,” Mr. Runcie wrote in his prepared testimony.

The agencies agreed to keep the tool in use while the IRS increased monitoring to detect suspicious activity. In February an IRS employee told the agency that the data had been compromised. The tool was eventually taken offline in March, when there was clear evidence that the tool had been used for criminal activity.

“The problem is that people don’t understand where to start in terms of securing their platforms, and what to protect,” said Mike Sanchez, a cybersecurity expert who was part of the initial team that investigated the Office of Personnel Management’s breach, in 2015. “They want to protect against everything,” which is impossible for technical and logistical reasons. Instead, agencies should zero in on specific problems as opposed to letting them build into major incidents, said Mr. Sanchez, now chief information-security officer at UDT.

“We did not take lightly the decision to disrupt the DRT,” said Ms. Garza, adding that she believes the IRS made a sound decision, and that protecting taxpayer data is the agency’s highest priority.

But the tool’s outage has created untold problems for those who rely on it, despite steps by the department to relieve some of the burden on students and families.

“While the IRS was able to identify 100,000 individuals impacted by the data theft, it may not be possible to measure the impact of the DRT outage on students who may have missed a financial-aid deadline or never even completed a financial-aid application because of this issue,” wrote Mr. Draeger.

At the conclusion of the hearing, some legislators said they were upset that Congress had not been alerted to the breach sooner, and with the winding responses of the people who testified. “It has been extraordinarily difficult to get any kind of specific answer out of any of you,” said Virginia Foxx of North Carolina, chair of the House education committee.

In a memo issued on Wednesday, the Education Department said it would provide further details about a solution and its impact on students and borrowers in the “coming weeks.”

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.​

Smishing Attacks are on the Rise—Here’s How To Keep Your Data Safe

Smishing attacks are on the rise, posing a significant threat to data security. Originating from a blend of SMS and Phishing, these attacks have seen a drastic increase since 2020. The widespread use of smishing attacks has persisted, with a lack of awareness being a major issue. Many view these as simple spam messages, unaware of the danger they pose. This blog aims to raise awareness about smishing and provide actionable insights to protect yourself and your organization.

5 Strategic Ways to Master Your IT Budget

Enhance finance IT efficiency with UDT and Cisco. Master IT budget planning, security, and innovation in the competitive industry.

IT Compliance Training for the Finance Industry (Get Your Resource Kit Now)

Download UDT’s IT Compliance Kit for financial services – empowering IT leaders to educate staff on compliance, data protection, and security.

Trend Alert! An Insider’s Look at the Latest IT Solutions for the Finance Industry

Explore the latest IT trends in finance and how UDT’s cutting-edge cybersecurity and managed IT services redefine security for the digital age.

Streamlining IT Operations in the Finance Industry—Top 10 Strategies for IT Leaders

Unleash the power of UDT and Cisco solutions with top 10 strategies to streamline IT operations for finance—enhancing security, compliance, and efficiency.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:

RECOMMENDED IMMEDIATE NEXT ACTIONS

  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,