WASHINGTON — Republican lawmakers excoriated IRS and U.S. Department of Education officials as “incompetent” or “untruthful” Wednesday at a lengthy hearing on a security breach that led to the shutdown of the IRS Data Retrieval Tool — an online tool known as the DRT that makes it easier for students to apply for federal financial aid and student loans.
“It appears to me, at the end of the day, you’re either in denial of what happened or you’re incompetent or you’re just untruthful in what’s happening here,” said U.S. Rep. Jody Hice, R-Ga.
Hice was speaking collectively to five witnesses — two from the education department, two from the IRS and one from the U.S. Treasury — called to testify Wednesday at a House Committee on Oversight and Government Reform hearing pegged as the “FAFSA Data Breach.” (FAFSA is the acronym for Free Application for Federal Student Aid.)
“This is an emergency, not a mere inconvenience,” Kim Cook, executive director of the National College Access Network, stated in written testimony.
Cook said she anticipates that approximately 10 million FAFSAs have yet to be filed this year, mostly among lower-income students who tend to file later, as well as renewing college students, community college students, and older or part-time students who file closer to the start of school.
Justin Draeger, president and CEO of the National Association of Student Financial Aid Administrators, said in written testimony the DRT outage “harms students and families in multiple ways, making the FAFSA more difficult to complete, making more students subject to verification, and leaving families with fewer available financial aid office resources for help navigating the financial aid process.”
At Wednesday’s hearing, Hice and other Republican lawmakers grew increasingly frustrated over what they sought to characterize among the five witnesses as finger-pointing, minimizing the seriousness of the problem and failing to notify Congress about it in a timely manner as required by law.
Partisanship was on full display from beginning to end of the lengthy hearing.
Democrats sought to use the opportunity to call attention to predatory student loan companies that have misused student borrower account data — frequently citing a 2016 report from the U.S. Department of Education’s Office of Inspector General — and lamenting how U.S. Secretary of Education Betsy DeVos has rescinded policy memos issued during the Obama administration to crack down on the such practices.
“What nobody seems to be addressing is the unethical, abusive and predatory actions of student loan companies,” U.S. Rep. Elijah Cummings, D-Md., said at the outset of the hearing. Several Democratic colleagues followed suit.
U.S. Rep. Paul Mitchell, R-Mich., criticized Democrats for trying to “obfuscate” the issue by injecting the student loan companies into the matter.
U.S. Rep. Virginia Foxx, R-N.C., who chaired the hearing, suggested the need for “better people” to come into the Department of Education and the IRS to “get something done.”
She said that, while Democrats might seek to make it seem as though the IRS DRT outage is the fault of the current administration, “it needs to be made abundantly clear that you all came into those agencies under the previous administration and have been kept on.”
She was referring to the five witnesses: James Runcie, chief operating officer at the Education Department’s Office of Federal Student Aid; Jason Gray, chief information officer at the Department of Education; Ken Corbin, commissioner of the Wage and Investment Division at the IRS; Gina Garza, chief information officer at the IRS; and Tim Camus, deputy inspector general for the Treasury Inspector General for Tax Administration, otherwise known as TIGTA.
All five found themselves on the proverbial hot seat Wednesday as committee members sought to establish who knew what about data breach problems with the IRS DRT, when they knew, and why they didn’t notify Congress right away that there was a problem.
Lawmakers also hammered the witnesses for not creating a strong enough cybersecurity system to detect the breach in the first place.
“Wasn’t it dumb luck that you happened to find this?” said U.S. Rep. Mark Meadows, R-N.C.
He was referring to how the first report of the data breach happened to be an IRS employee who received a letter indicating that the employee had requested his or her IRS transcript, which the employee did not, and then reported the matter to the IRS.
Garza, the chief information officer at the IRS, denied that it was “dumb luck” and maintained that the notification that the IRS employee received was “part of the defense mechanism” that the IRS has in place.
“So you purposefully embed IRS employees in all this so that they might get a response notification so that they can highlight this?” Meadows said to Garza. “Come on.”
Gray, under questioning by Meadows, attempted to explain that the reason Congress was not notified until more than a month afterward is because the Education Department did not fully grasp the extent of the breach. Gray agreed that “in hindsight” Congress should have been notified sooner.
Garza also said initially the agency thought the number of affected taxpayers was much smaller in explaining why the IRS did not notify Congress of the problem right away.
The breach was not the result of a “hack” per se but rather a function in the IRS DRT that enables identity thieves to pose as students and see certain taxpayer information that automatically populates the DRT. The thieves were after the AGI — or adjusted gross income — which would help enable identity thieves to file fraudulent tax returns.
“It appears that identity thieves used personal information of individuals that they obtained outside the tax system to start the FAFSA application process in order to secure the AGI tax information through the DRT,” witness Camus explained in written testimony. “The IRS’ current estimate for the number of impacted taxpayers is approximately 100,000.”
The IRS has previously stated that fewer than 8,000 of false tax returns were processed, and that $30 million in refunds were issued as a result.
“In my world, $30 million is a lot of money, and you all don’t seem to take it seriously at all,” said U.S. Rep. Glenn Grothman, R-Wis. “That is a result of your not taking action when a breach is made, and you’re not following the law to let Congress know. It’s so troubling to me that it takes so long for you to do anything.”
Draeger expressed similar thoughts.
“Perhaps most troubling is the fact that this situation could have been avoided with better decision-making in September 2016, when the potential for abuse of the DRT was first identified,” Draeger said.
“The IRS and ED could have been working to implement security enhancements for the past six months that would have prevented not only the DRT outage but also the fraudulent activity ultimately identified in March 2017.”
Runcie indicated there are plans to get the IRS DRT up and running again by Oct. 1 in time for the 2018-19 FAFSA. The tool will be up in late May or early June for those who wish to use it for income-driven repayment of student loans, he said.
The revamped IRS DRT will operate with an “encryption solution” so that taxpayer information “will no longer be visible to would-be malicious actors,” Runcie stated.
“We acknowledge some filers may have concerns about not being able to see the information they are transferring from the IRS into the FAFSA,” Runcie stated. “We will continue to work with the financial aid community and the IRS to address these concerns.”
When Chairperson Foxx asked the witnesses if they could commit to make sure there is no opportunity for the DRT to be misused again when it is operational, only Runcie and Gray, of the Education Department, indicated yes.
Garza stated she is “not sure”; Corbin said, “I’m also unsure”; and Camus said, “We will be watching closely.”
“I think you’ve given the American people great confidence today when you tell them you cannot secure the system,” Foxx said sardonically.
Jamaal Abdul-Alim can be reached at [email protected] or you follow him on Twitter @dcwriter360.
