IRS Commissioner Josh Koskinen testified before the Senate Finance Committee that a breach in the IRS Data Retrieval Tool (DRT) has allowed hackers to gain access to the personal information of 100,000 students, who use the tool to fill out the Free Application for Federal Student Aid (FAFSA). Identity thieves used this information to fill out fraudulent tax returns and steal an estimated $30 million from the U.S. government.

The tool works by importing students’ and families’ tax information – such as Adjusted Gross Income – directly from the IRS to their FAFSA application. The Data Retrieval Tool was popular among students, who used it to save time in applying for financial aid and student loans. It turns out that hackers were also fans of the online service; they could use fairly basic personal information to begin FAFSA applications in the guise of students. The DRT would then provide hackers with confidential tax information, which they could use to file fraudulent tax returns and steal money from American taxpayers.

Senator Orrin Hatch questioned Koskinen on why the IRS waited so long to take down the compromised Data Retrieval Tool. According to Koskinen, the IRS realized that the DRT may jeopardize taxpayer information, and therefore disabled the tool in order to address security concerns. However, most of the fraudulent tax returns in question were filed in January – months after the IRS realized the tool posed a security risk. Koskinen says he was alerted to the problem in September, but students continued to use the tool until it was taken down in March.

In 2015, as many as 17 million students had the option of using the Data Retrieval Tool to fill out their financial aid applications. This year, the IRS flagged 100,000 tax return applications that may have come from hackers who made of the DRT, although Koskinen says “that number may grow.” Of the 100,000 students whose information may have been stolen, the IRS has notified 35,000.

The exploitation of the Data Retrieval Tool is far from the only security breach that taxpayers need to worry about. Under Koskinen, the IRS has repeatedly failed to protect taxpayer information; in one breach in 2016, as many as 600,000 taxpayer accounts were jeopardized. The Government Accountability Office released a report accusing the agency of “significant deficiency” when it comes to protecting taxpayer data.

Koskinen, though, does not seem to be concerned about the IRS’s systematic failure to protect taxpayer information. “Fortunately, we were at the front end of this problem,” he testified. “We’ve been monitoring it. We have other areas we’re monitoring. We’re trying to anticipate where the criminals will attack next.”

Photo Credit: M. Seery