The Internal Revenue Service said, on Thursday, that the personal data of as many as 100,000 taxpayers could have been compromised through a scheme in which hackers posed as students using an online tool to apply for financial aid. According to The New York Times, the breach has the potential of being the most extensive since the 2015 tax return incident when info on over 300,000 taxpayers was used to file false claims. The IRS later increased that estimate to potentially affect 700,000 people.

The affected tool makes it easier to fill out the Free Application for Federal Student Aid, or the FAFSA, by allowing aid applicants to automatically populate the applications with their and their parents’ tax information.

The data retrieval tool suddenly and mysteriously became unavailable in early March when the the U.S. Department of Education and the Internal Revenue Service suspended the tool due to security concerns. The shutdown, at the height of financial aid application season, caused outrage among parents and aid applicants filling out the complicated FAFSA forms.

Identity thieves used the tool to gather information to file fake returns seeking refunds. About 8,000 fraudulent refunds were issued, costing $30 million. IRS filters stopped 52,000 returns and prevented 14,000 illegal refund claims from being sent. 

The IRS became concerned last September when it realized it was possible for cybercriminals to utilize the tool to steal data and file fraudulent tax returns. Internal Revenue Service Commissioner John Koskinen said "I told (the Education Department) as soon as there was any indication of criminal activity, we would have to shut that system down. We're trying to anticipate where the criminals will attack next." 

When asked why the department waited nearly six months to suspend the tool, he told reporters "To shut it down without a clear indication of criminals actually using it seemed to us that it was going to unnecessarily disadvantage millions of people who used it,"

The commissioner said that the agency had already sent out 35,000 letters to taxpayers and that it was planning to contact 100,000 people to alert them that they might be at risk.

The tool will remain unavailable for the remainder of this application cycle, but is expected to be available again in October for the 2018-19 academic year.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Jennifer Guidry, CMO