Agency Heads Excoriated on Financial-Aid Data Breach

WASHINGTON (CN) – House Republicans laid into IRS and Department of Education officials Wednesday over a security breach that compromised the tax data of roughly 100,000 people through the federal student-aid website.

“It appears to me at the end of the day you’re either in denial of what happened or you’re incompetent and just untruthful in what’s happening here,” Rep. Jody Hice, R-Ga., said at a hearing this morning of the House Oversight and Government Reform Committee. “The abuse that’s been inflicted on American citizens by the IRS is inexcusable, and it’s time that there’s accountability and some change that takes place at the IRS.”

The data breach involved a tool in the Free Application for Federal Student Aid (FAFSA) that allows loan applicants to easily import their adjusted gross income into their forms. By posing as student-aid applicants, hackers were able to exploit the tool to get hold of other tax information, which they in some cases used to file fraudulent tax returns.

Though the IRS caught on to the abuse this past February, the agency had warned the Department of Education that the FAFSA data-retrieval tool was vulnerable to such a breach in October 2016.

Before the IRS shut down the FAFSA data-retrieval tool this past March, someone had tried to use stolen data to find the adjusted gross income of a “prominent individual,” according to the written testimony of Timothy Camus, deputy inspector general for investigations for the Treasury Inspector General for Tax Administration.

IRS chief information officer Silvana Garza blamed the delay on the IRS and Department of Education’s attempts to balance the need for applicants to use the data-retrieval tool with the threat of a breach.

Relative to the number of accounts compromised, the hack led to the filing of only a few fraudulent returns. Members of the House Oversight Committee were furious nevertheless over what they said was a lackluster response from the agencies, compounded by an unwillingness of the representatives at Wednesday’s hearing to provide specific details about the breach.

“It has been extraordinarily difficult today to get any kind of specific answer out of any of you,” Rep. Virginia Foxx, R-N.C., said at the close of the hearing Wednesday.

Undercutting their boasts of department commitments to cybersecurity, the witnesses at the hearing repeatedly proved unable to give specific answers to lawmakers’ questions. Members of the committee also were concerned that the agencies did not notify Congress of the breach within the one-week window called for in federal law.

Department of Education chief information officer Jason Gray said his agency did not think it had to report the breach to Congress immediately because it was the IRS’ data that hackers accessed. Gray also said there was not enough information about the breach in the first week to warrant going to Congress, but that they did report it to other agency authorities.

Eventually, however, Gray admitted to the committee that his agency should have tipped off Congress earlier.

“Hindsight, sir, yes, it was important enough to notify Congress,” Gray said. 

That admission failed, however, to satisfy Republicans, who continually demanded accountability from the agencies for the breach that jeopardized personal information of thousands of Americans.

“You’re blaming each other,” Foxx said. “The American people frankly are tired of this kind of display of incompetence again. You all [either] cannot answer questions or will not answer questions — it’s a little difficult to know.”

%d bloggers like this: