The House Oversight and Government Reform Committee scolded the Internal Revenue Service and the Department of Education on Wednesday for not sounding the alarm sooner on a major cyber incident that may have compromised sensitive financial information on more than 100,000 taxpayers who applied for federal student financial aid.
Rep. Steve Russell (R-Okla.) scrutinized IRS officials for not notifying Congress sooner regarding a major data breach in which cybercriminals leveraged an Education Department tool to file fraudulent tax returns. Failing to flag the suspicious activity in a timely fashion, Russell said, went against the “see something, say something” spirit of the Federal Information Security Management Act.
“It took the Internal Revenue Service almost three months to determine that this was a major data breach incident that required congressional notification per FISMA requirements. And the [Education] Department is still not calling this a major incident and I would like to find out, and I’m sure my colleagues would like to find out why.”
On March 3, the Education Department and the IRS shut down the data retrieval tool on FAFSA.gov after hackers exploited the DRT to obtain taxpayers’ adjusted gross incomes, and then used that information to file fraudulent tax returns. IRS Commissioner John Koskinen told the Senate Finance Committee in April that his agency told the Education Department last fall to keep an eye out for any suspicious activity, but it wasn’t until early February that a pattern of suspicious activity was identified.
While lawmakers criticized the IRS its slow response, Rep. Gerry Connolly (D-Va.) told Education Department Chief Information Officer Jason Gray he was “splitting hairs” by not classifying the cyber intrusion as a major data breach under FISMA, after reporting the incident to the U.S. Computer Emergency Readiness Team.
“This was a situation where unlawfully obtained information was used to go through our system to access information through the DRT, which is why we reported to U.S.-CERT … We did not report this as a major incident, because our information, meaning the information that the department holds, was not compromised,” Gray said.
However, Tim Camus, the deputy treasury inspector for tax administration, told Connolly that he considered that the hackers’ leverage of the DRT should have triggered FISMA, which requires agencies to disclose a major data breach to Congress within seven days of it being discovered.
“We would view it as once somebody was able to see somebody else’s data that, in fact, has been a breach,” Camus said.
Connolly, the ranking member of the government operations subcommittee, told Gray the Education Department should have informed Congress about the breach, even if it wasn’t sure if FISMA had been triggered.
“The law is there to make sure that the legislative branch is informed in a timely fashion when this kind of activity occurs and the reason isn’t so that we’re keeping score. It is to make sure that we’re doing what we can, on our part, to protect sensitive data of American citizens. And it seems to me that it was incumbent upon the Department of Education to inform us in a timely fashion,” Connolly said.
IRS CIO Gina Garza told the committee that the tax agency, which she said defends against a million intrusion attempts on its information systems every day, has to strike a careful balance between convenience and security when it comes to its online services, but ultimately determined to take the Education Department’s DRT tool offline.
“We did not take lightly the decision to disable the DRT tool. We knew that doing so had the potential to disrupt millions of students applying for federal financial aid,” Garza said. “We were trying to balance the protection of the taxpayer data with the use of the tool. And that is why we reached out to the Department of Education to have discussions about what we could take. We saw this as action that we needed to take immediately and we did take that.”