IRS investigating possible breach of data retrieval tool

(Getty Images)

Share

Written by

Identity thieves may have used the IRS’s data retrieval tool to obtain taxpayers’ sensitive information connected to the Education Department’s federal student aid application.

The IRS is investigating how many people may have been affected by “questionable use” of the data retrieval tool, according to a joint announcement Thursday from the IRS and Education Department.

The scope of those affected is not yet clear. The data retrieval tool, which plays a key role in helping students apply for aid through the Education Department, has been down since early March and won’t be back “until extra security protections can be added” — likely not before next FAFSA season, which begins in October.

The agency believes identity thieves may have used taxpayer information stolen outside the system to login through an integration on the Free Application for Federal Student Aid website, FAFSA.gov, to secure further tax information.

“The IRS continues to review the extent to which this contributed to fraudulently filed tax returns,” the statement says. “The IRS has identified instances where our strengthened fraud reviews stopped questionable tax returns by filers who also accessed the [data retrieval tool].”

As it identifies taxpayers whose information may have been put at risk through the data retrieval tool, the IRS is “marking and locking down those taxpayer accounts to provide additional protection against an identity thief filing a fraudulent tax return.”

The agency is also finalizing plans to alert those affected about the potential for identity theft.

The IRS and Education Department did not return FedScoop’s requests for comment prior to publication.

The outage in early March was first attributed to “system maintenance” to fix a technical issue, but it was later revealed the issue stemmed from security concerns.

“As part of a wider, ongoing effort at the IRS to protect the security of data, the IRS decided to temporarily suspend the Data Retrieval Tool (DRT) as a precautionary step following concerns that information from the tool could potentially be misused by identity thieves,” the Education Department announced March 9. “The scope of the issue is being explored, and the IRS and FSA are jointly investigating the issue. At this point, we believe the issue is relatively isolated, and no additional action is needed by taxpayers or people using these applications.”

Typically, with the tool, eligible FAFSA applicants can “access the IRS tax return information needed to complete the Free Application for Federal Student Aid (FAFSA), and transfer the data directly into their FAFSA from the IRS Web site,” according to FAFSA.gov. Without it, inputing that information creates hurdles for both applicants and those processing and reviewing the forms, Justin Draeger, president of the National Association of Student Financial Aid Administrators, told FedScoop when the systems first went down.

“The problem is that the entire application and verification processes are built on this IRS data retrieval tool. So for some students it is going to be a longer process and for other students it could lead to a lot of other headaches,” Draeger said. “There also may be extra work on the other side of the application for those verifying information.”

While it’s still possible for user to manually input that information, it may be the difference for many students between affording college or not, especially those who can’t easily access their parents’ past tax records.

IRS Commissioner John Koskinen sympathized with applicants who face the tedious manual data input of the past but stressed the importance of protecting taxpayers’ sensitive data.

“While this tool provides an important convenience for applicants, we cannot risk the safety of taxpayer data,” Koskinen said. “Protecting taxpayer data has to be the highest priority, and we will continue working with FSA to bring this tool back in a safe and secure manner.”

-In this Story-

breach, Cybersecurity, data breach notification, Education, Education Department, IRS
TwitterFacebookLinkedInRedditGoogle Gmail