Security & Fraud

Financial Aid Tool Breach Yields 100K Taxpayers Worth Of Stolen Data

The breach of a tool that parents and students can use to streamline the student lending process has allowed information for 100,000 taxpayers to get out into the wild, according to Internal Revenue Service Commissioner John Koskinen on Thursday.

The tool — which allows users to directly port their electronic tax return into the Free Application for Federal Student Aid form — had to be unplugged in March when it was discovered that enterprising cybercriminals were using the tool for an unintended purpose: gathering information to file fake tax returns.

The scam led to about 8,000 fraudulent refunds — worth about $30 million. The IRS filters were able to stop 52,000 returns and prevented 14,000 illegal refund claims from being sent.

The IRS first noticed and made the federal DoE aware of the issue in early fall.

“I told (the Education Department) as soon as there was any indication of criminal activity, we would have to shut that system down,” Mr. Koskinen said. ”We’re trying to anticipate where the criminals will attack next.”

Mr. Koskinen said the government was reluctant to make a quick decision last year to terminate the popular tool.

“To shut it down without a clear indication of criminals actually using it seemed to us that it was going to unnecessarily disadvantage millions of people who used it,” he told reporters after the hearing.

Plus, Koskinen noted, not all flagged tax returns were actually fraudulent — there were some cases where clearly the correct person was behind the return.  They included taxpayers who paid money with their returns — not the way refund fraud works — and taxpayers who filed their returns before using the Education Department’s tool.

“We caught it early enough that there’s not a significant volume of money out the door,” he said.

Apart from the breach — and the data of 100,000 tax payers being a little bit compromised — the other downside in this story is that the tool itself is done for the rest of the 2017 application cycle, which is bad new for those who rely on it, particularly in low-income communities.

A criminal investigation into the breach is ongoing.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.

Click to comment