Lawmakers on Wednesday grilled information security officers at the Department of Education and IRS over a data breach of an information-sharing tool that potentially exposed the personal information of 100,000 Americans earlier this year.
The chief information officers at both organizations came under harsh criticism from members of the House Oversight Committee for their handling of the situation, and defended themselves against charges that they may have violated the law by slow-rolling the notification of the breach to Congress.
The IRS’s Data Retrieval Tool (DRT) is used by student loan applicants to import tax information to the Free Application for Federal Student Aid (FAFSA) on the Department of Education’s website.
{mosads}The hearing, which exceeded four hours, provided more details about the timeline of events leading up to the decision by the IRS and the Department of Education to pull the tool from the web in early March as a precaution amid concerns that information could be used by identity thieves to file fraudulent tax returns.
In testimony before the Senate the following month, IRS Commissioner John Koskinen acknowledged the breach and revealed that as many as 100,000 taxpayers may have had their personal information compromised.
Federal law requires departments and agencies to report major information security incidents to Congress within seven days of their discovery.
Tim Camus, a Treasury Department deputy inspector general, said Wednesday that the IRS noticed suspicious activity associated with the tool in January and consulted the Department of Education, which said that it believed the activity to be legitimate. Then, on Feb. 27, the IRS determined that the tool was being used to steal taxpayer-adjusted gross income information, which prompted officials to shut down the tool.
Rep. Jim Jordan (R-Ohio) said that the IRS only notified Congress of the breach in the public testimony in April, more than a month after confirming that there was suspicious activity on the tool.
The Department of Education never notified Congress, Jason Gray, its chief information officer, confirmed Wednesday.
Jordan and Rep. Gerry Connolly (D-Va.) indicated that the lack of notification could constitute a violation of the Federal Information Security Modernization Act.
“The breach at the Department of Education is something that we’ve been warning about on this committee for quite some time,” Connolly said. “The Department of Education holds data on 139 million individuals.”
“It seems like it was incumbent on the Department of Education to inform us in a timely fashion,” Connolly said. “I think it’s in violation of the law. I know we’re going to pursue that more.”
Gray argued that, because his team did not identify any Department of Education information that was compromised in the situation, he only notified the computer emergency readiness team at the Department of Homeland Security and the department inspector general — not Congress. He also said that he was under the impression that the IRS had notified Congress during the appropriate timeframe.
Gray sidestepped calling the incident a breach of the department’s systems.
“While the department systems were involved, this was in essence a scheme directed at retrieving tax data from the IRS,” Gray said. “There is no evidence that the malicious actors were able to access any personal information from the department systems.”
Gina Garza, the chief information officer at the IRS, said that the agency was slow to notify Congress because it initially believed the number of individuals potentially affected to be less significant.
“We did inform the Congress that this was a data breach,” Garza said. “The reason why it took as long as it did was because we were going through analyzing the information. The initial population was much smaller than 100,000 that we thought were impacted. We also needed to coordinate with the Department of Education.”
The IRS is currently investigating tax returns that have been flagged as potentially fraudulent in connection with the data breach.
“We found that the data obtained through unauthorized use of the tool was in some cases used to attempt to file false returns,” Ken Corbin, the deputy commissioner of the Wage and Investment Division at the IRS, told the committee.
“Our strengthened fraud filters have stopped a significant number of questionable tax returns by fraudsters who accessed the DRT. We are working to determine whether any of those returns are, in fact, fraudulent.”
The agency has also sent notification letters to individuals potentially affected and offered them identity theft protection, Corbin said.
Lawmakers expressed frustration with the officials’ lack of accountability on the issue, accusing both organizations of attempting to blame the other. The chief information officers were forced to defend their commitment to bolstering data security amid charges of incompetence.
“At what point are we going to get this right? Because we continue to have breaches,” said Rep. Mark Meadows (R-N.C.). “We’re always coming in after the fact to look at this.”
The tool will remain offline as officials work to implement a new encryption solution, and it is expected to deploy with the additional security measures in October, in time for the 2018 student aid application season.
The IRS knew of security vulnerabilities in the tool as early as October 2016 but kept it online because there was no evidence that hackers were exploiting it.
“Protecting the taxpayer data is our top priority,” Garza told lawmakers. “We were trying to balance the protection of the taxpayer data with the use of the tool, which is why we reached out to the department of education to have discussions about what we could take.”