
FAFSA Breach Affected 100,000 Taxpayers
Tax Fraud via FAFSA
The Internal Revenue Service (I.R.S.) has announced that as many as 100,000 taxpayers may have been compromised through a breach of a tool related to the FAFSA (Financial Aid) process. Attackers were able to leverage a convenience built into the application process which would auto-fill the students’ and parents’ tax information from I.R.S. databases. The goal of the tool was to make it easier for families to complete the lengthy application. However it was taken offline after I.R.S. officials noticed higher-than-average rates of incomplete applications.
A common scam involves filing false tax returns in order to steal the refund checks. The FAFSA breach appears to have been used to carry out this kind of attack. The I.R.S is in the process of notifying 100,000 taxpayers of the potential identity fraud and has issued refunds to fewer than 8,000 returns which are believed to have been fraudulent.
Questionable Response
According to the New York Times, the I.R.S. first “became concerned” in the Fall of 2016. Yet the tool remained active until March of 2017. In a statement to Senate Finance Committee, I.R.S. Commissioner John Koskinen indicated a reluctance to take the tool offline until there was clear evidence of foul play.
It appears that the I.R.S. did what most organizations do… they took the “wait and see” approach. Taking the tool offline wouldn’t just be embarrassing it would also be highly disruptive. Each year, millions of families and countless colleges and universities rely upon the system to process applications. The tool in question saved a great deal of time for both families and institutions looking to verify the data in the applications.
By waiting, the I.R.S. took the risk that identities would be stolen and fraudulent tax returns would be filed. In the end, the I.R.S. had to deal with both a technical and public relations disaster.
What Should You Do?
There are basically two kinds of web services: those you choose to use and those you have to use. Government services commonly fall into the latter category. There are some services for which there isn’t a direct competitor. It can be very challenging to protect yourself and your data in those cases. There just isn’t anything you can do if the organization responsible for protecting your data fails you… especially when you couldn’t avoid giving them that data in the first place.
Thankfully the vast majority of online services are those which you chose to use. With that in mind, here is some advice for how to think about online security.
- Be Skeptical: Many, if not most, people assume that they can trust the website or organization they are dealing with to protect their data. Historically, this has been a bad gamble. Start with the premise that the website or app needs to earn your trust. Don’t give away personal information until you are satisfied with the measures they have in place to protect it.
- Be Alert:
The first step to establishing trust with a website is to see if they are using encryption to protect your traffic. Usually it is a green padlock or the word “Secure” in the URL bar of the browser. If a site does not have that symbol, then don’t trust them with your credit card, banking details, or any other personal information.HTTPS Everywhere is a browser extension for Chrome and Firefox by the Electronic Frontier Foundation which encrypts your traffic with many websites. It is a painless step which automatically makes you a little more secure online.
- Be Patient: Security and convenience are opposite ends of a spectrum most of the time. If being secure is too difficult, time-consuming, or confusing then you will default to less-secure behaviors. Security measures can be frustrating, but try to keep the big-picture in mind. Few things can affect your life as dramatically as identity theft.
- Be Curious: The more you learn about the mechanics of the web, the safer you can be. You don’t need a Bachelor’s degree in Computer Science to pick up some useful skills. When a browser, website, or smart device is able to pull up your of personal information or data, wonder how they were able accomplish that. For any question you could think to ask, there is already someone who has made a YouTube video or written a blog post to answer it.