The Internal Revenue Service’s data-retrieval tool will be back online for borrowers in income-driven repayment plans by the end of the month, James W. Runcie, chief operating officer of the Education Department’s Federal Student Aid office, told a U.S. House committee on Wednesday. But he offered no respite to those who would like to use the tool to fill out the Free Application for Federal Student Aid, the Fafsa, as it will continue to be offline, for them, until October.
The tool mysteriously and abruptly went offline on March 3. It was later revealed that the tool’s absence stemmed from a breach that may have affected the data of up to 100,000 people. The IRS estimates that 8,000 potentially fraudulent claims led it to issue tax refunds amounting to more than $30 million. Wednesday’s hearing, of the Committee on Oversight and Government Reform, sought to uncover how the breach of the tool had occurred, but ultimately, it raised more questions than it answered.
Lawmakers in both the House and the Senate have pushed the IRS and the Education Department to hasten the process of getting the tool back online for both Fafsa applicants and people in income-driven repayment plans.
On Monday, Sen. Lamar Alexander, Republican of Tennessee, and Sen. Patty Murray, Democrat of Washington, requested weekly staff briefings on the status of the tool in a letter to Betsy DeVos, the education secretary. The two senators, who serve as the chair and ranking member, respectively, of the chamber’s education committee, also asked that the department create an action plan to reinstate the tool before the previously stated deadline of October.
“It’s definitely a good sign that they are working to put the … tool back online as quickly as possible,” said Clare McCann, a senior policy analyst at New America, in an interview with The Chronicle. But it’s bad news for the millions of Fafsa filers who won’t be able to use the tool — which makes the process much easier because it imports existing tax data — to file the student-aid form, she said.
The Path Not Taken
Some legislators on the committee argued a different point, echoing the written statement of Justin S. Draeger, president of the National Association of Student Financial Aid Administrators. “Perhaps most troubling” about the current status of the tool, he argued, “is the fact that this situation could have been avoided with better decision making in September 2016, when the potential for abuse of the DRT was first identified.”
Why, they asked, was something not done sooner?
Gina Garza, chief information officer at the IRS, told the committee that her agency “took immediate action” and that no data was lost in September, when an attempt was made to view the tax data of an individual using the tool. The IRS began working with the Department of Education in October to strengthen authentication measures in the system.
The Federal Student Aid office “sought to determine the best approach to minimize the vulnerability” — that the IRS had identified — “without causing major disruption to students, parents, and borrowers,” Mr. Runcie wrote in his prepared testimony.
The agencies agreed to keep the tool in use while the IRS increased monitoring to detect suspicious activity. In February an IRS employee told the agency that the data had been compromised. The tool was eventually taken offline in March, when there was clear evidence that the tool had been used for criminal activity.
The problem is that people don’t understand where to start in terms of securing their platforms, and what to protect.
“The problem is that people don’t understand where to start in terms of securing their platforms, and what to protect,” said Mike Sanchez, a cybersecurity expert who was part of the initial team that investigated the Office of Personnel Management’s breach, in 2015. “They want to protect against everything,” which is impossible for technical and logistical reasons. Instead, agencies should zero in on specific problems as opposed to letting them build into major incidents, said Mr. Sanchez, now chief information-security officer at United Data Technologies.
“We did not take lightly the decision to disrupt the DRT,” said Ms. Garza, adding that she believes the IRS made a sound decision, and that protecting taxpayer data is the agency’s highest priority.
But the tool’s outage has created untold problems for those who rely on it, despite steps by the department to relieve some of the burden on students and families.
“While the IRS was able to identify 100,000 individuals impacted by the data theft, it may not be possible to measure the impact of the DRT outage on students who may have missed a financial-aid deadline or never even completed a financial-aid application because of this issue,” wrote Mr. Draeger.
It has been extraordinarily difficult to get any kind of specific answer out of any of you.
At the conclusion of the hearing, some legislators said they were upset that Congress had not been alerted to the breach sooner, and with the winding responses of the people who testified. “It has been extraordinarily difficult to get any kind of specific answer out of any of you,” said Virginia Foxx of North Carolina, chair of the House education committee.
In a memo issued on Wednesday, the Education Department said it would provide further details about a solution and its impact on students and borrowers in the “coming weeks.”
Adam Harris is a breaking-news reporter. Follow him on Twitter @AdamHSays or email him at adam.harris@chronicle.com.