The chef report for federal student aid was mung those who took questions from the House Oversight economy. This is about 2 1 2 hours. Good morning. The economy on oversight and government reform will come to order. Without objection the chair is authorized to declare a recess at any time. The chair notes the presence of our colleague, congressman bobby scott from virginia. We appreciate his interest in this topic and welcome your participation today sir. I asked consent that congressman scot scott be allowed to participate in todays hearing. Without objection it will be so ordered. I would also like to ask yew mannous consent to enter into the records statements from the following social works. The National Association of student aid administrates. The National College network. The National Role on education and epic. Today we are here to talk about a data breach involving a department of education website and an irs webbased application. Every day literally, every series criminal conduct an unphone number of sophisticated and devastating Cyber Attacks against our nation. To get the government ahead of the curve will require more effort opponent of agency heads and chief Information Officers as we began the task of modernizing old outdated requested in secure federal technologies and network architectures. We cannot calibrate or defenses and buy the right security platforms unless we understand the threat. We must be honest and trans pattern about what risks we face and what damage is being done. Ignoring the problem or underestimating the threat, places or nation and its citizens in danger. Once again, we find ourselves and the Oversight Committee investigating a data breach. Hackers were trying to file fraudulent tax returns and steel refunds. To accomplish this crime they turned to federal education fas fa and Free Education student aid on. Government networks. To get the one piece of information that they desired that they couldnt buy in the marketplace they came to the tool. Specifically taxpayers adjusted gross income data. You need that agi tie to awe then katie your identity for the irs and file your tax returns. All hackers needed to do was go to a dark web by cash of american tax payer person identifying information, use that to get into the fas fa dwauf and the tool and they had everything that they needed to steal tax payering citizens refunds. This is the kind of hacking schemes that the federal agencies must be aware of when they make their Services Available on line. If Sensitive Data can be accessed through an john line application it must be secured. The strong awe then case measures and appropriately equipped. Facing the truth is important not only because the incidents effect tens of thousands if not hundreds of thousands of more thans tax payers and probably millions of students applying for student aid, but also because without understanding the threats we face, we cant protect ourselves. It took the Internal RevenueService Almost three months to determine that this was a major data breach incident that required congressional notification per requirements. And the department is still not calling this a Major Incident, and i would like to find out and im sure my colleagues, why. This is not about word smithing, what we call these incidents helps us bring the full weight of the federal government to bear on the cyber response. Getting help to those who have been impact requested making sure the as a rule nashlts are defended. Cyber attack is a treatment port. A leek in the attack one or the other still creates a leak. If we have other organizationss tools or technologies hooked up to our networks and websites then we are responsible. It only takes one vulnerability and everyone east connected is at risk. Whats so troubling about this incident is that it was detected through suspicious activity accidentally. The hackers inadvertently targeted an irs employee, criminals do make dumb mistakes but so do agencies. Id like to thank or dedeks and defense abilities are more advanced than mistakes of criminals relying on the dumb mistakes that they make. We arent going to win this fight unless we understand the threats that we face. The damage that hackers and enemies are doing to us and what we as a congress can do to empower agency heads and cios to protect our networks. The first step in fighting back is wearing or mistakes like a badge. We should follow it with some good and determination to not let it happen to the areas of government that have been entrusted to our charge. And with that i would like to yield to the Ranking Member mr. Cummings. Thank you very much mr. Chairman. No matter who may define it its a Major Incident. Irs or education, im just letting you know its a Major Incident. You can put any kind of definition on it but im telling you it is. I welcome this hearing today. This hearing is about data retrieval, the data retrieval pool, and that is a valid topic that several other committees are also addressing and i too. I want to thank representative scott for joining us to do. He is one who has addressed these issues for many many years and i thank him. Now, what nobody seems to be addressing is the unethical abusive and predatory actions of Student Loan Companies. Last september, the Inspector General issued a report finding that multiple Student Loan Companies, which were supposed to be, supposed to be helping student were actually accessing and changing student law going information as part of predatory schemes to access their accounts, change their regular mail and email addresses, and even intercept correspondents. Thats a major major event. Specifically, the id reported that the process for logging on to the federal student aid website was quote, being use misused by commercial third parties to take over borrow we ares accounts. End of quote. In one case the ig arounded that a Student Loan Company and i quote, exchanged the mailing address, the phone number, and email address for borrowers so it would be difficult for the borrowers to be contacted by loan services. End of quote. In another case the ig found that a company tried to borrow monthly fees to quote, put their loans into fore beerns with the stated promise of eventually enrolling them in the Public Service loan for giveness or somor Debt Reduction program even though the borrowers in some cases were not qualified for these programs. End of quote. This is major. The ig also found these companies were able to quote, intercept all of the borrowers emails, correspondents including password resets via email, important email notices and direct communication from fs a or the loan services. End of quote. Less than two weeks ago on april the 20th or Committee Staff conducted a trans scribed interview with a special agent in charge of this investigation at the Inspector Generals office. This is what he told us. He warn that these companies and i quote, were controlling thousands of accounts or creating thousands of accounts and controlling them. End of quote. In other words, the very companies that were supposed to be helping student were actually abusing their trust. These practices are rep prehence bl but the ig reported that it could not prosecute these Student Loan Companies because of technicalities. Apparently these companies force student to sign powers of attorneys to get loans so the companies presumably can try to argue that they were authorized engaged in these abusive activities. Something is offully wrong with that picture. It is outrageous that these Companies Got away with behavior they must have known was wrong. Not must have known, they knew was wrong. Im eager to hear from todays witnesses about improvements necessary to hold these Student Loan Companies accountable for engaging in these deceptive and abusive practices. In addition as we will hear today, criminals were able to compromise the data retreefl tools which is used to link student Tax Information to Financial Aid and student loan accounts online. These criminals then used this information to file fraudulent tax returns. It is unacceptable that student have to deal with the abusive practices and predatory Loan Companies, as well as the increase threats of Identity Theft. It is critical that we crack down on these criminal elements and improve the security of the systems. Congress also needs to support these efforts. Severe budget cuts in recent years had made it more difficult to make critical improvements and Information Technology. President trumps Budget Proposal and staff reduction directives would exacerbate these challenges. Finally, if we really really want to protect student from the abuses we are addressing here today, congress obviously cannot abolish the department of education as some of my colleagues have proposed. We must support and increase our nations investments in our student. As i often say, our children are the living messages we set to a future we will never see, the question is how will we send them. The question is how will we protect them. And this is that moment, this is our watch. With that mr. Chairman i yield back. Thank you. I will hold the record open for five legislative days for my members who would like to submit a written statement. We will now recognize our panel of witnesses. Im pleased to welcome mr. James rency the chief operating officer, officer of the Student Aid Department of education. Mr. Jason gray. Chief direction officer from the department of education. Mr. Savannah gina garza, chief officer of the Internal Revenue service. The horizontal kenneth cole man. And mr. Timothy cay must, the department Inspector General for investigations, treasure Inspector General for the Tax Administration. We welcome all of you and thank you for being here this morning. Pursuant to Committee Rules all witnesses will be sworn in before they testify. Would you please rise and raise your right hand. Do you solemnly swear or affirm that the testimony youre about to give will be the truth, whole truth and nothing but the truth . I do. Thank you please be seated. Let the record reflect that the witnesses answered in the affirmative. In order to allow time for discussion we would appreciate it if you would please lim your oral testimony to five minutes each. Your entire written statement will be made a part of the record. And with that im pleased to recognize mr. Rentsy for five minutes. Thank you chairman russell. Ranking member cummings and members of the committee for the opportunity to join you today. Ill discuss the events that led to the data tool or dip willing disabld and the actions weve taken to assist student, parents borrowers and schools. Fs a delivered more than 125 billion in aid to over 13 million student attended more than 6,000 schools last year. F surgical a is committed to save guarding tax permissions as we guard access for safety student aids and their family. During my ten years at fs a weve managed the dprut of the direct loan portion for the student Loan Portfolio from 9. 2 million recipient and 9. 2 million to recipient. One of Critical Resources that have assisted in this growth is the drt. It game available in 2010 duringizer j fs a and provide fs a customers an effective way to transfer required irs Tax Information. Each year about half of the 20 million fas fa filers use the drt and another 4. 5 million borrowers use the tools for the income driven. In total over 50 million fas fa applications has utilized the drt since its inception. Using it saved many of applicants time and lowered the verification hurtle for schools and their dedicated staff and financial professionals. Following a security pretty much last year the fs a contacted s s a about a dit vulnerability. The join goal was to minimize the vulnerability would causing a major disruption to our customers. We agreed to keep the drt in operation by minimizing the tool for sufficient activity. The i s a evaluated Many Solutions it could, be innovative with both applications and increase the information for tax payer information. Many solutions did not meet the required security threshold or resulted in too be applicants being able to access student aid. In february we agreed to development and in criminate an in kripgs solution. This solution will be em employeed for 2018 slash 19 acard you beginning october 1st, 2017. Well continue to monitor the applications for the current award year and still allow for drt use. A march 3, the ira notified the suspicious activity and suspended its use. It involves bad architect for who obtained information elsewhere and began filling out fas fa and utilize tax payer information through the the drt. This could be used to file fraudulent tax returns. I want to reiterate we have no evidence or personal information from the Department Systems were accessed. However evidence to criminals were starting to exploit the vun rational of the drt using the tool was no longer an option. The solution to bring back the drt will allow Tax Information to be transferred but it will encrypt the information and hide it from the applicants view. For the idr application we are targeting the i know of may to have the drt functionality available to applicants. We are scheduled to meet october first timing for the 18 19 year. Kons questioningly were reminding student, parents and borrowers they can still apply for aid and repayment plans without the drt. Ongoing effort involve utilizing all of our communication resources, Digital Properties and venders and leverages the Financial Aid community. The Department Also issued a communication in schools extending flexibility regarding verification procedures. I appreciate the opportunity to provide you with this information and i welcome any questions you may have here today. Thank you. Thank you. The chair now recks mr. Gray for five minutes. Thank you chairman russell and Ranking Member cummings and member of the committee. Im jason gray, c irk o for the department of education position ive had the privilege of Holding Since june of 2016. I appreciate the opportunity to speak with you today on a Cyber Security incident that let to the shut down of the irs data retrieval tool. As c irk o i embrace and fostering Educational Excellence and ensuring equal access by ensuring we apply Information Technology effectively, sufficiently and securely. I take this responsibility seriously and understand that this includes the entire department including federal student aid and all principal and support offices. When we became aware that the irs had confirmed that had tax data accessed through the fas fa link through the drt may have been used to fraudulent file tax returns we activated our immediate responses. This enabled to gathering data and understand the incident. We held daily meetings to facility communication between the technical staff of my office, federal student aid and the irs. We reported the incident to the office to our office of the Inspector General and to the United States commuter Emergency Readiness Team at homeland security. While the Department Systems were involved this was in essence scheme directed at retrieving tax data from the irs. There is no evidence that the malicious actor were able to access any information from the Department System. I am confident the personal information the department has on borrowers, student and parents remain appropriately protected. I will explain further actions weve taken to further help and strength our program to protect Sensitive Data and pri thats managed by the department. Security is a priority for the defendant. We created a response to address and data breach response processes. In 2016 the department conducted two incidents response table top exercises that helped us refine or Incident Response process through the development of Lessons Learned and identification of actions the department needed to enhance our overall Incident Response process. The department has implemented a number of technical controls and solutions to detect policy violations, unauthorized changes and unauthorizeding a access to the deputys net work. This includes a data loss preference solution which restricts such as Social Security numbers outside of the department. In 2016 the Department Also implemented Network Access control which prevents connection by any unauthorized device to the network. A third solution, web application firewalls have been implemented and we are transitioning web photos and protections to be protect pedestrian by those firewalls. The department had partnered with dh s for Automation Solutions and mitt dpags which will enable us to continuously monitor or network for intrusion and malicious activity. The department activates multilevel dhi. I thank you for opportunity to discuss the incident that affected the department. Were continuously working together to enhance the security and private protections around this important capability. I am confident that the technical solution currently being worked will achieve this goal. I will be pleased to answer any questions you may have. Thank you. The chair now recognizes miss garza for five minutes. Chairman russell, Ranking Member cummings and members of committee, thank you for opportunity to appear before you today to discuss the Cyber Security incident associated with a federal student aid data retrieval tool or drt. I have been a Public Servants for over 32 years and i am Information Technology executive for the last 17. Recently, i game the chief Information Officer having served as a deputy cio for the four years prior. During this time i have seen a dramatic change in the number and types of attacks fraudsters and criminal Enterprises Use to try to get the data we are committed to protecting. As the tactics have changed the irs has added to the approach what Cyber Security and refund fraud have also changed. We understand the enemy is ever changing and must stay diligence in improving our defenses. We know we all share the responsible to ensure that cyber securities investigated in ever part of our operation. Stepping into the role of cio eight months ago i established two priorities. Cyber court and eliminating filing season. I appreciate the delicate balance between meeting tax payer needs with quick and convenient access to online programs and securing our systems. We did not take lightly the decision to dizzy able the drt tool. We know that doing so had the potential to disrupt millions of student applying for physical aid. I believe we made a sound decision, one that would protect the data of approximately 175 million americans. This is our highest priority. I appreciate your decision to conduct a public hearing on this subject, as i believe it is criminal that we cap to raise awareness of the the widespread cyber and Identity Theft threats we are facing across the globe every day. Every day thousands of victims fall victim to Identity Theft. Government and private Sector Companies are being blossom barded with Cyber Attacks. We and the audience have a front row seat. Every day the irs assess and desist on average. Unity theft continuing to be a threat to our efforts. When we first became concern with the level awe then case protected the tool we were determined we should shut down the application. Our practice has been to shut down the application of concern until we have mitigated the risk. In prior situations, noor agency was involved, the situation was different. The department of education was highly den descendaants on the tool for the program and to serve its customers. We will not make a decision to shut down the applicationout engaging the department of education in the stigs process. We discuss the need to raise the level of authentication with the department of education, we discuss the fact that this could be done at the department of education website or the drt tool. The department of education needed to have a user friendly solution in place. This made it undesirable to implement a solution that would cost about 70 of applicants to be able to complete the process. We cap to collaborate with the department to find a solution to protect the data. At that time, there was no evidence of data loss or fraud, so we agreed to not shut down the application while we worked on acceptable solution. We were always clear that the moment we had evidence of data loss or fraud we would turn off the data retrieval tool. On march 3rd having confirmed an incident of fraud we turned off the application. Details of the incident leading up the decision to shut down application are in the written testimony. In conclusion, protecting data is our highest priority. This threat is purr sis tept and ever changing and the irs remains diligent and ever watchful. The Funds Congress provided last year has helped to us to hands our capabilities but there will always be more work to be done. This concludes my whole testimony ill be happy to answer your questions. Thank you. Chair now recognizes mr. Corbin for five minutes. Chairman russell, Ranking Members cummings and members of this committee. I am the new commissioner of the irs wage and investment having started this position at the beginning of year. My responsibilities include overseaing the processing of tax returns, issuance of refunds, preventing and protecting refund fraud providing the best service. Thank you for this opportunity to testify. My colleague miss garza has described the work the irs is doing. In collaboration with the department of education to secure the drt. Ill put that in a broader context of how we are working to safe guard all of our programs where we share tax payer information. I will also update the committee on our efforts to help tax payers who may have been effected by the incident earlier this year involving the drt. An important focus of the irss efforts to protect taxpayer data is the ongoing battle against stole nl identity refund fraud. Weve made steady progress over the last few years against this threat but this threat is constantly evolving. To address this challenge the irs has worked to increase our ability to monitor, detech, yanlz suspicious activities within our system. Congress helped up by providing 200 million and additional funding and 2016 which included 95 million to include Cyber Security. We have used a portion of that funding for monitoring equipment and other capabilities that are more sophisticated than we previously had. This is helps us detect unusual activities in our various online tools and applications more quickly. Despite all this progress we made we realized we cannot relax the fight against Identity Theft. We are finding that as the irs enhances return processing facilititers catching more fraudulent returns at the time of filing, criminals become more sophisticated at mimicking tax payer identity so they can invade those filters and obtain fraudulent refunds. The irs is working not only to work faster but also stay ahead of the criminals. In that regard weve taken a broad effort to review authentication taxes and strength those taxes when necessary. Student aid is an area where we have been concern about the able of bad actors to fraudulently obtain tax payer information that led us last fall to closely monitor activity on the drt and work with the department of education to make the drt more secure. In investing the accidents earlier this year involving the drt we found the data obtained through the unauthorized use of the tool was found to to be used to file false tax returns. Our filters have stopped a significant amount of fraudulent tax returns. We are working to determine whether any of those returns are fraudulent. Our analysis during the suspicious activity involving the drt found 00s of thousands individuals may have had their tax compromised. We found that a number of these tax payers did not have information compromised in an abundance of caution we mailed letters to all of these tax payers. We wanted to tell them about the able of unauthorized access to these so they can take steps. Along with notifying these tax payers the irs is marking their accounts to provide additional protection against the possible that an unity thief can file a false return using their information. We also recognize that many families trying to apply for student aid have been in convenienced by a decision to shut off the drt, while we work to improve security for the tool. In the interim families can still complete the application for student Financial Aid by manually provided the requested information from copies of their return. Although we realize this is not as convenient as using a drt, we have a spnlt to ensure the drt and all of our online tools are fully protected from unity thieves. Chairman russell, Ranking Member comes and members of this committee. That concludes my statement. Ill be happy to take your questions. Thank you. The chair now recognizes mr. Cay must for five minutes. Thank you. Chairman russell, Ranking Member cummings and members of the commune. Thank you for the opportunity to testify on the topic of the recent free application for federal student aid data retrieval tool breach. On anl each year the irs issues approximately 400 billion in refunds, processes 242 million tax returns and collects over 3 trillion in revenue. Decision to the significant amount of money that flows through the irs each year the tax payer irs information is extremely valuable to identity thieves. As a result the irs has become a target of cyber criminals located all over the world. Over the the past several years anything dah has conducted any in vegass on the variety of Cyber Attacks on the irs. For example, in may 2015, criminaled launched a criminal attack on the irs Information Portal that was estimated to impact 110,000 tax payers. Further more than 700,000 tax payers were detexted by abuses of the system. In january 2016, the irs efile pen application exploited. The irs estimates the explosion resulted in the issuance over 100,000 efile pens that were used to file fraudulent tax returns seeking more than 1 100 million in fraudulent refunds. On january 25th, 2017 the irs noticed unusual activity on the fas fa retrieval data tool. The irs reported this to the department of education. The department of Education Advised the irs that they believe the activity was legitimate activity. Then on february 27th, 2017, it was determined that the fas fa data retrieval tool was in fact being used in order to steal tax payers adjusted gross income or agi information. Tax payer agi information is extremely valuable to identity thieves as it is needed by criminals in order to authenticate themselves for the purpose of filing fraudulent tax returns and stealing refunds. Due to this activity, in early march 2017, the irs made the decision to take the data retrieval tool off line. It is estimated tip that as many as 100,000 tax payers may have had their agi information stolen through this explosion. Through the benefit of hind sight all this information ive discussed reveal that although the irs conduct the sharing sights it has had difficulty in identifying proper level of risks. That is because the struggle with determining the risk, then necessary Authentication Requirements all the balancing the use for tax payers continuing to the challenge. Criminals are defeating the various authentication and security requirements, we share what we learn with the irs in order to help them sure up their applications. One thing is criminal clerystal clear. There is a determined elements paying close attention to Tax Administration and i believe these criminals will continue to present challenges to the future of e fish and secure electronic Tax Administration. In summary, we intend to take seriously our mandate to protect american tax payers and the integrity of the irs. As such, we machine to provide continuing invest gave and coverage in the area of Cyber Security and we look forward to continued discussions on ways we can fight these types of cyber crimes in the future. Many chairman, Ranking Member comes and members of the committee. Thank you for letting me share my views and i look forward to answering question. Thank you. The chair will now recognize himself for five minutes. Miss garza, as i look at this situation and you certainly have a lot of experience both in the cio arena as well as in Public Service and we do appreciate that. A lot of times Public Servants are taking for granted. With your broad experience, thats not taken lightly. Still as we examine this issue were trying to get to who is responsible for making the operational and security decisions for the data retrieval tool . Sir, as i said in my opening testimony were all responsible for ensuring that Cyber Security is a top priority. As a group we look at every risk assessment, we evaluate the situation and we make the decisions as to what level of risk were willing to take with the application that we talking about. Over the last year since trans script weve become much more conservative. But reevaluate the situation, discuss it and determine what actions we need to take. In your testimony you mentioned that this was unique because unlike attempts or attacks on the irs and the different departments within the irs this involved a different department. So you had one end of the pipe and the other end of the pipe. When you learned in september 2016 that it was possible with quote, little stolen information, end quote for a hacker to pose as a student and access the drt tool and the data stored on that tool, why did you not move to immediately secure the tool through encontributing or otherwise masking the Sensitive Information accessible through the drt . Sir, there was a couple actions that we took at that time. First of all there was no data loss at the time, we had no evidence of fraud at the time. We immediately well theres no evidence of fraud but that doesnt mean that there wasnt. You had a clear indication that something was awry, yes or no . We looked at the an littics and we looked at all of the data that we had available to us at the time and we did not see anything suspicious. We contacted the department of education, both cyber organizations started to work to look at the data and the data did not reveal that there was any kind of penetration going on at that time. What didnt and i guess, you know and heres the information that im speaking at specifically. The isolated case did it not result in an indictment that is still processing in the courts from september 13th . It was a single case and they did not get the data. Well, i guess then let me follow on this vain because what i hear each of the panel saying is no data breach no problem. Then i hear mr. Cay must say 100,000 investigationon going and fraudulent return file and ill come back to that. What do you think the department is responsible for securing the data on fas fa. Government and other applications . 100 were responsible for securing our data. Okay but yet we see what the department of ed saying give us the tool, we have the irs say heres your tool and you got data coming out on one end and you think its secure on the other, theres a leak. And yet it took you how many months, from september to february to even recognize and say, no we thought it was legitimate in september but now we think we might have a problem. That is a big period of breach. So would you say that you have a responsible for you do have that responsibility but that wasnt perceived as such in september . It was perceived in that there was a potential vulnerability in september october and the two departments worked together to create a solution that would prevent that vulnerability from being exploited. When it became an exploited vulnerability when was in march is when he took the appropriate action to bring it off line. And yet it wasnt shut down when you had indication in the start of a new Financial Aid season. And i guess what id like to do is you know mr. Rentsy you said there was no evidence that a fraudulent information was accessed but was fraudulent wrongs filed with regard to this data . Mr. Chairman i cant tell you whether fraudulent concerns were file owner because were not privy to that information. We analyzed the security information. We did an exhaustive examination looking at indicators of risks and we returned that information to the irs so that they could complete some of their analysis. In september, as i mentioned earlier in my ore ral comments, we at that point probably had filed 50 million applications using the drt. So we filed a substantial am of applications using the drt going back seven years to 2010. It is an evolving landscape and its quite possible as we said the criminals and the fraudulent activities their innovative and so things change. Over that period of time there wasnt any documented material criminal activities on the drt. When that was found and confirmed it was shut down. So theres a history there that one, we relied on even though we continued to monitored and we balance that against the risk of shutting off the tool and all the implications around. Well theres always a risk of protecting tax payers and i want to be respectful of the time. Before i turn it over to the Ranking Member, you know, what it appears is that were not identifying that we had a breach and its made us more vulnerable. And with that well come back to some of that at a lair time. Id like to recognize the Ranking Member mr. Cummings. Thank you very much mr. Chairman. Mr. Renesy this past september Inspector General issued a saving report warning that Student Loan Companies were using the federal aid website to take advantage of student. The ig explained the tax that these companies were using to commit possible fraud. First, the Loan Companies would obtain the law going credentials student use to access their accounts, then the Loan Companies would change or create new credentials to let them take control of the student accounts. These Loan Companies took advantage of these student for commercial gain and in many different ways. Are you aware of that report if. Yes, i am. And in one case the ig reported that a loan consolidation company, and i quote, changed the mailing address, phone number and email address for borrowers so it would be difficult for borrowers to be contacted by their own loan servicers. Another company discharged student a monthly fee to put their loan into fore beerns with a promise of enrolling them in a Reduction Program even though the boar rowers in some cases would not qualify for these programs. Mr. Renesy whether yn you read reports were you troubled by these companies that did this to these student . Ranking member cummings yes, i think we were all troubled. And we continue to work with the ig. We have a potential solution or mitigating action that were going to take later this month. So we understand what the issue is. But as you mention earlier, there is the tech cattle of someone who potentially signs up for these services so whether its through power of attorney or some other agreement there is that technical issue we have to deal with. So that so the ig reported that it could not prosecutor these Companies Based on technicalities. For example many of these companies required student to sign those power of attorneys in other words to give the loan to companies then use these power of attorneys to improperly access the student accounts. Mr. Renesy it should not be necessary for student to sign power of attorneys to get Student Loans. Do you agree with that . Yes, i absolutely agree. One of the approaches weve taken to go heavy on user education, i mean ultimately all of these services that are being provided can be done free. But again through aggressive Marketing Tactics and so forth its quite possible that there are a number of people who are not aware they can get these Services Done free. We have been real focused on user education and in addition you know were going to make sure that theres information out there that the ig can leverage in terms of going after some of the bad actors out there and thats what i referenced to earlier without being specific. I got you. Now, what other actions have been taken so that Going Forward these Student Loan Companies will be held accountable for these abusive activities . This thing, its something about this that tear at my heart because i see so many ive stood on the board of a college and i see young people having to drop out of school because they dont have money, and theyre struggling they just want to go out there and be all that god meant for them to be. And not only do they have to fight people who are supposed to be helping them, but then they got then they lose the opportunity. They dont lose it maybe for a week or a day, they lose it for a life time. Thats why im so concern about this. Now, what assistance can congress provide to help hold Student Loan Companies more accountable . What can we do . Do you need some help . Yeah, i mean, you know well i have some thoughts give us your thoughts because we have a duty. Once we find out that there are things we can do we take try to figure out. But we got to know what they are. Yeah, so theres that tech cattle i dont know if theres a way to limit the ability to transfer the authority of giving away your password and information so that others can provide those services. If there is some legislative process to address that, then i would be an advocate of it. I think the other thing though, you got to balance that potentially with there may be a population, and i know it would be a segment, a small segment of the people that are being contacted, who they actually need some guidance for some whether its loan consolidation or providing some other value within the federal student aid system. There may be some small amount and we would have to sort of think about the impact on those that might need some level of assistance. But again i think the bigger problems which you indicated, there is the potential for people to be put in a situation where theyre harmed for a very long period of time because theyre not educated about some of the options out there to do it by themselves. So would you would you think a legislation regarding the doing away with the power of attorney requirement would be appropriate . I think it will be something that we should consider. I would again wed have to do some analysis, it could be surveys or whatever. There are like i said theres potentially a group of some of the most needy who may need some assistance and i cant calibrate that right now. But i think as you said, the bigger problem is that theres a lot of them that arent aware that thigh dont need to pay for these services and are now being exploited. Mr. Chairman i would hope that we would pursue this even further. I think it would be legislative malpractice for us not to protect these student. It is ridiculous that we weve got to do all that we can. Im sure that you will work with us and everybody up there, panel will work with us to try to make sure that happens. The other thing we got to do mr. Chairman we cant have just a hear being those folks we got to bring in the people that are messing over our young people and playing game with their lives. I look forward to working with you. And we move forward. And i thank the Ranking Member and agree that we it ex tends beyond the student it ex tends to all americans. Its private data and even to the parents and others and look forward to working that effort. The chair would like to recognized now the gentleman from north carolina, mr. Walker. Five minutes. Thank you mr. Chairman. Mr. Cay must i want you to describe the following three incidents, just confirm them if you would please. Specifically the ones started in september of 2016. Was that incident involving the data retrieval tool was that criminal in nature . Yes, it was. Okay was it also did it result, the accident result if an indictment . Yes, it did. Okay theres also one that was identified in november of 2016 and the third was one on january 25th, 2016 which a high number of tax payer identification numbers were identified as being processed on the fas fa that raised red flag. Did this result in a notification of a Major Incident to congress . No it did not. Okay. Mr. Garza miss garza, given the three separate incidents thats described the predata, the Major Incident involved in the dr tool not taken off loan. Question why was the data tool not taken off line earlier. So i microphone please. And if you would pull that a little closer and speak into it. Thank you. Thank you sir. Congressman in regard to the september incident we took immediate action by analyzing the data that we had and we found there was no evidence of breach. Data was not lost. And we started working with the department of education to strength the authentication process for the data retrieval tool. I am not aware of the incident in november and so i will have to go back and look at what the findings were for that. Yeah, i dont understand the fact its for say, well its wasnt breached it wasnt breached. I was just thinking of my family back home, if i got a Security System yet we have people trying to break into that, at some point im going to be concern oh nothing was taken, nobody was hurt nothing was damaged. It doesnt make sense theres not more action being taken. Shun irs being concern about the tool about in sufficiently perked is that not whats important . Protecting the tax payer unity is our priority. Were trying to merge the tax payer data with the use of the tool, thats why we reached out to the department of education to have discussions about what we could take. We saw this as action we needed to take immediately and we did take that, those actions to come up with to try to come up with a solution that would mitigate the risk. The keyword is trying to come up with a solution, im not sure we have arrived at that. According to mr. Rentsys testimony after october 2015 discovery that the drt could potentially be vulnerable the irs increased monitoring of the tool for increased activity. Could you describe what that monitoring look like . That is correct. We engaged with our friends and asked them as well as the new cyber analyze that we have in place to look for suspicious activity. It was because of of that increased monitoring that we done and identified we noticed therefore suspicious activity done in february. There was also suspicious done in february i believe. Was that discovered by accident . We have mick nichls in place. Multiplayer defense mechanism. One is to the individual who is data is being identified. That led us to identify that we had an issue as we investigated that issue we were able to find that in fact there was fraud that had taken place and we immediately shut down the application. So for the record youre saying that no that it wasnt discovered by accident . There was a notice that was generated to the tax payer that had that tax payer come in and notify us that there was something amiss. To me this is not only a question of taking responsibility for the irs and the departments web Accessible Service and data, but of understanding the Cyber Security risks these Online Services and applications face, and i certainly agree with the raipging member cummings. These are young peoples lives at stake and too after theyre coming out Getting Started to be able to put them on the path where they have to unravel this i hope theres a sense of urgency to deal with this issue than presently seems to be at the time. With that mr. Chairman i yield back. The gentleman yields back and the chair could like to recognize the general lady from new jersey. For five minutes. Thank you very much mr. Chairman and good morning to all of you. Mr. Rentsy in september the inspected general reported that Student Loan Companies miss use the Department System to take advantage of student. As reprehensible as this finding is this is not the first time Student Loan Companies have acted against the best interest of the student their supposed to be serving. In 2015 the financial Detection Bureau and the department conducted an inquiry finding a vanessa universe of complaints regarding loan servicers. This has drawn a series of policy memos that had been issued from the Previous Administration that was put in place to strength protectives for student loan bowerers. Mr. Rentsy what would this impact have an student loan bow roars and do you think this could aggravate the practice of practices . In terms of our focus, you know our focus from a servicing per spect is to make sure we have the highest priority outcome for student involved. We put in place a series of actions over the years and right now were going through a recompetition among the servicers that you referenced. Bauds were in a prokurm process i cant really talk about specifics but i will reiterate that we are focused on having the highest quality product that we can from servicing representative and generating the best outcome for student and bow rowers. Are you aware of a roll back of certain kblts that had been into in is that gaited or initiated in this administration that are overturning the kblts this were designed to protect student and as a rule nashlts . Im personally not aware of any roll books. Is anyone on this panel with any knowledge opponent of either this administration through the white house or the department of education that has that will negatively impact the accountability of who is and who is not a good person or entity to work in this space . Is that a no . Theres no one. No. No. No. Interesting. Okay. This january the Consumer FinancialProtection Bureau filed a lawsuit against one of the nations largest services of federal and private student loan naf gent. According to lawsuit naf yent cost student billions of. Instead, it reportedly pushed borrowers into fore beerns spending their payments but not the accrual of the compounding interest. Mr. Rentsy are you familiar with these allegations in pn lawsuit. Im familiar with those allegations. Naf yent Student Loans in 12 million borrowers and 6 million who is the services with the department of ed is that so . I believe thats right. And naf yent it allege and i quote, the service will act as the lenders interest. There is no expectation that the consumer will act in the indication of the consumer is that right . Im i didnt hear the last part. The servicer acts in the lenners interest and theres no expectation that the servicer will act in the interest of the consumer. I understand that statement in the case of, you know, private lenders a servicer would be acting on behalf of private lenders, thats right. Does it concern you that Companies Like naf yent publicly claim they have no responsibility to act in the best interest of the student theyre supposed to be serving. We are currently in a procurement process and i cant make a comment on that of which naf yent is also in the procurement process so i cant make a comment on that. Were making decisions about our servicers. All righty then id expect what youre going to do is look at information such as this and were not going to have to ask you again about someone like naf yant even though you k express whatevers happening with regard to that company right now. Yeah, what i can say is we look at past performance, responsibility metrics there are kra tier ya that we have to look at in terms of the process. I dont know by number be the executive order or roll back that just took place as it takes to looking back at a companys business and reputation but i think thats something that you need to look at to see whether or not it does negatively impact your ability to ensure that the best is taken care of the best. Absolutely. Thank you. With that i yield become. The general yields back. Gentleman from ohio, recognize for five minutes. I thank the chair. Mr. Corbin when did the irs notify anything dah that you guys have a problem . The notification happened that same day. You guys talk to many cay must and his guys on february 27 of this year. I did not personally but someone with theizer yes, sir. And how many potentially are harmed by the hacking breach that tack place . Compress approximately 100,000 sir. And the law requires you to notify congress with Something Like this happens doesnt it . Im not familiar with that. Ill read it to you. The federal monitorization acts guided by the budget guidance says this not more than 11 days after an incident you should notify congress correct . Correct yes, sir. Okay so youre suppose to do and it do it within seven days is that accurate . That sounds accurate yes, sir. Doesnt sound accurate thats the law. Yes, sir. When did you Tell Congress . So i believe we notified coming within that even daytime frame from what i know. Really is that true mr. Cay must . Mr. Jordan im not sure when they notified congress. Because we dont have it on april 6th. You notify congress and id have to go back and check that congressman. Well thats important right . Yes. Mr. Cause can testified on april 6 and thats when he told out right in front of the senate. Yes, congressman i have to go back and take that back and confirm that for you sir. Well, we appreciate that but this is when Congress First learned was on april 6, that there had been an incident. And heres what the statute says, it says not later than seven days after the date on which there is a reasonable basis to conclude that a Major Incident has occurred. Would you describe this as major mr. Cay nus. I would say so. Same here. So were wondering why you waited so long . I dont have an answer to that congressman ill go back. Wed like to get that. Because frankly let me turn to mr. Cay must. Is this the first time irs has waited to tell irs of Important Information . Mr. Jordan im not aware. Ill refresh your memory, there was an incident that happened over the last several years where the for same time tarlging tax payers based on their believes are you familiar with that mr. Cay must . I am aware. You did a couple investigations . Yes, sir. And was the irs always forth coming in a timely fashion with an Important Information in that in investigation you did mr. Cay must. We found there was mistakes made and materials that should have been turned over. Thats a nice way of saying i appreciate that. You got a career in politics maybe after your done with tig dah. Let me refresh your memory. The irs now there was a gap in emails in 2014. They did nothing to stop the destruction of backup statements, do you remember this mr. Cay must . Yes, i do. Because it was your investigation that discovered 421 back up tapes is that right . Yes, sir