by Alfred Ng April 7, 2017 10:15 AM PDT @alfredwkng
A financial aid tool for college students helped hackers steal up to $30 million from the US government.
Nearly 100,000 people are at risk for identity theft after hackers breached the IRS's Data Retrieval Tool, which parents use to transfer financial information for their kids using the Free Application for Federal Student Aid. In 2015, 17 million students used FAFSA to file for financial aid.
Fraudulent tax returns have become a growing issue for the IRS, as hackers find more sophisticated measures to steal financial documents online. The agency lost $5.8 billion in 2013 alone from sending tax refunds to thieves filing in other people's names. These schemes have targeted schools, hospitals and restaurants, and college students are the latest victims.
IRS Commissioner John Koskinen testified to the Senate Finance Committee on Thursday, revealing thousands of people could be hit by identity theft from the breach. The agency delayed refunds from going out to 52,000 taxpayers until they can verify they're real requests.
"It was clear that some of that activity was legitimate students, some of it was criminals," Koskinen said. "So we shut the system down."
The tool, which allowed applicants to automatically upload their tax information, also allowed hackers to pose as 8,000 college students in tax refund requests. They would start the financial aid process like a normal student, and then use the IRS tool to automatically populate tax information for the student and parents.
Using that stolen tax information, identity thieves filed fraudulent tax returns, stealing $30 million from the IRS. Up to 14,000 other phony tax refunds were blocked from the IRS.
The Department of Education and the IRS disabled the tool in March, during a critical time when students are applying for loans, and said it wouldn't return online until the fall. The IRS first learned about the breach in September 2016, but delayed shutting down the tool then because millions of students depend on it.
"As soon as there was any indication of criminal activity, we would have to take that application down," Koskinen said. "That occurred, as we monitored, in through the early part of Feburary."
Students can still fill out their application manually without the tool, but the process takes a longer time. The IRS has notified 100,000 people that their information is at risk.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it?