Was the IRS Data Retrieval Tool Breached?
The IRS suspended access to the IRS Data Retrieval Tool on March 3, 2017, without advance notice to the public, and evidence suggests it might have been subject to a security breach.
The IRS said the suspension was necessary “as a precautionary step” because of concerns about the potential for identity theft. The U.S. Department of Education, just like the public, was taken by surprise and initially was unaware of the shutdown. It wasn’t until six days later on March 9, 2017, that the IRS and U.S. Department of Education issued a joint statement about the suspension.
The haphazard manner in which the IRS Data Retrieval Tool was suddenly suspended strongly suggests there might have been an actual security breach.
Indeed, the Wall Street Journal reported that the tool was taken offline “due to criminal activity.”
The IRS Data Retrieval Tool transfers information from federal income tax returns into the Free Application for Federal Student Aid (FAFSA). The tool also can be used to complete annual renewals of eligibility for income-driven repayment plans.
It is unclear how the IRS Data Retrieval Tool could be subject to abuse. In order to access the IRS Data Retrieval Tool through the FAFSA and Student Loans web sites, the applicant must have a FSA ID and the address on the forms must match the address on the applicant’s federal income tax return. Obtaining a FSA ID requires the applicant to provide his or her legal name, Social Security Number and Date of Birth.
Thus, a hacker would need to already have a consumer’s name, address, date of birth and Social Security Number to use the IRS Data Retrieval Tool. The only additional information a hacker could obtain through the IRS Data Retrieval Tool is the applicant’s income and tax information.
However, a taxpayer’s prior-year adjusted gross income (AGI) is one of two options for signing and validating federal income tax returns filed online with the IRS. Thus, the IRS Data Retrieval Tool could be used by a hacker to obtain the AGI needed for income tax refund fraud.
The IRS says that the IRS Data Retrieval Tool will remain unavailable for several weeks. When the IRS Get a Transcript tool was used by hackers in early 2015, it remained offline from May 27, 2015 to June 7, 2016, which is a total of 54 weeks.
The IRS and U.S. Department of Education say that applicants still can manually complete the FAFSA.T The IRS Data Retrieval Tool, however, not only simplifies the form, but also reduces the likelihood that it will be selected for verification.
Any data element that is transferred unmodified from an applicant’s tax return to the FAFSA will not be subject to verification. Also, some applicants might not have copies of the previous year’s federal income tax returns because the U.S. Department of Education switched the base year from the prior-year to the prior-prior-year starting with the 2017-18 FAFSA.
Applicants should not wait until the IRS restores access to the IRS Data Retrieval Tool. Instead, they should fill out the FAFSA manually so that they don’t miss state and college FAFSA deadlines. When the IRS Data Retrieval Tool becomes available again, they can use it to update the information on the FAFSA and thereby reduce the likelihood that their FAFSA will be selected for verification.
However, it is unclear whether access to the IRS Data Retrieval Tool will be restored before verification deadlines. If an applicant’s FAFSA is selected for verification, they will need to obtain a tax return transcript to verify the accuracy of income and tax information on the FAFSA. Applicants might wish to obtain a tax return transcript now to avoid delays later during verification. A tax return transcript can be obtained using the IRS Get a Transcript tool or by filing IRS Form 4506-T.
In the meantime, I have several suggestions for the IRS and U.S. Department of Education about ways they can address the issues raised by the security breach:
- Disable the use of AGI to authenticate taxpayers to the IRS for filing individual federal income tax returns, especially when the taxpayer’s address or bank account number has changed or the new address or bank account number is used for more than one unrelated income tax refund.
- Mask the last three digits of AGI on the IRS Data Retrieval Tool and the FAFSA, replacing them with asterisks. The actual full AGI can be provided directly from the IRS to the U.S. Department of Education without needing to reveal the full AGI to the applicant. The leading digits of the AGI are sufficient for the applicant to ensure that the correct AGI is being provided on the FAFSA. That will reduce the likelihood that a hacker can guess the full AGI to 1 in 1,000. The IRS can lock out use of AGI for authenticating a special taxpayer after three failed authentication attempts.
- Truncate the AGI by setting the last three digits to 000 or round the AGI to the nearest 1,000. This will not have a significant impact on the expected family contribution (EFC), while preventing hackers from using the IRS Data Retrieval Tool to compromise the security of income tax refunds.
- Use reCAPTCHA on the online submission of individual federal income tax returns, to prevent automated attempts to compromise the security of federal income tax returns.