The key word is trying to come up with a solution is not sure we have arrived at that. After the october 2016 discovery that the dit could be vulnerable the irs is monitoring for any suspicious activity, we engaged with our friends. And asked them, and suspicious activity in january. And an incident in february, multilayer Defense Mechanisms, one of the mechanisms is notification to the address record for the individual. That led us to identify the we had an issue, we were able to find that in fact there is fraud that has taken place and immediately shut down the application. It is not discovered by accident. It was a notice generated from the taxpayer. The taxpayer came in and notified us. Taking responsibly for the irs, and the applications face. Please her young peoples lives at stake, to fit their unraveling that. The gentleman yields back. The chair would like to recognize the gentlelady from new jersey for five minutes. Good morning to all of you. In september the Inspector General reported Student Loans in the Department System to take advantage of students. As reprehensible as the fighting his this is not the first time Student Loan Companies have acted against the best interest of the students they are supposed to be serving. In 2015 the Consumer FinancialProtection Bureau conducted a public inquiry, signing complaints regarding loan servicers. More concerning the Current Administration has withdrawn a series of policy memos in the Previous Administration that was put in place for protection for student loan borrowers. And student loan borrowers, predatory lending practices. In terms of our focus, our focus on the servicing perspective, high quality outcomes of students and borrowers, we put in place a series of actions over the years and going through, and cant really talk about specifics, i would reiterate, focused on high quality product, generating the best outcomes of student borrowers. Are you aware of rollback of certain oversight, accountability, initiated in this administration that are overturning the accountabilities designed to protect students and vulnerabilities. I personally am not aware of any rollbacks. Anyone on this panel, any recent actions on the part of for the white house and department of education. That will negatively impact the accountability of who is or is not a good person or entity to work in this space. Is that a no . This january the Consumer FinancialProtection Bureau filed a lawsuit against the largest services of federal and private loan, according to the lawsuit, billions of dollars by withholding information about incomebased repayment programs. Instead, pushing borrowers into forbearance, for a cruel of the compound interest. Are you familiar with these allegations. Im familiar with those allegations. The Student Loans of 12 million borrowers and 6 million Service Contractors with the department of education. That is right. And the lenders interest. In the lenders interest, for the interest of the consumer. Is that right . The servicers act. And the lenders interest. And no expectation in the interest. In the case of private lenders, a servicer working on behalf of private lenders. Does it concern you companies publicly claim they have no responsibility to act in the best interest of the students they are supposed to be serving . We are in the procurement process. I cant make a comment on that. And they are also in the process. I cant make a comment on that. We cant make decisions about our services. I expect we ask you again about someone like navia and even though you cant express what is happening with regard to that company right now. We look at responsibility metrics i dont know by number the executive order or rule back that took place, and looking back at a companys business and reputation. And the best is taken care of the best. I you back. Mister george recognized for five minutes. When we notified that there was a problem. It happened the same day. You talked on february 27th this year. How many tax pyres are harmed by the breach that takes place . A proximally 100,000. The law requires you to notify congress when Something Like this happens. Im not familiar with that. The federal Information Security modernization act. Not later than 7 days after the date of the incident you should notify congress. Yes. You are supposed to do it within seven days. Is that accurate . It sound accurate. It doesnt sound accurate, that is the law. What did you Tell Congress . In that 7day timeframe, that is what i know. Is that true . I am not sure when they made notification to congress. We dont have it until april 6th which is longer than 7 days. You Tell Congress on april 6th. I would have to go back and check. That is important, right . Yes. Mister koskinen told us before the senate. I have to go back and confirm that for you, sir. We appreciate that but that is when Congress First learned on april 6th that there had been an incident. Here is what the statute said. Not more than 7 days, are you going to describe this as major . 100,000 people, i would say so. Same here, we wonder why you waited so long. I will find out for you. We would like to get that. Is this the first time the irs is waiting to Tell CongressImportant Information . I am not aware. I cant answer. There was a little incident that happened the last several years where the Internal Revenue service systematically and for a sustained period of time targeted taxpayers based on their political beliefs. Remember that situation . Im family with that. You did an investigation into that, a couple investigations. What the irs always forthcoming in a timely fashion with Important Information in that investigation . We found there were some mistakes in materials that should have been turned over. A nice way to say it. You might have a career in politics with that answer. Let me refresh your memory. The irs knew there was a gap in lowest learners email in february of 2014, did nothing to stop the disruption of back updates. 421 backup takes. And 24,000 do you know what he told congress. June 14, 2014. We have the Internal Revenue service, the agency has a lot of influence and impact on American People lives with a major breach that the losses you are supposed to Sell Congress within one week, within 7 days, they wait 38 days. Think about what congressman walker talks about. That took place before february 27th. When Mister Koskinen testified and said we are putting you on notice that there has been a major breach, 100,000 taxpayers impacted, look what he said in that testimony. On april 6, 2017, Mister Koskinen testified before the finance committee that we started working with education in october telling them we were very concerned, very concerned that the system could be utilized by criminals. The Mister Koskinen was on notice that there were potential problems, potential big problems, use the term very concerned clear back in october of last year. And on 27, the irs told you this is real. They dont comply with the law until congress within a week, they wait 38 days to tell us. Not supposed to be how it works. Doesnt sound so. The irs is treating taxpayers the way they are not supposed to and it is why this committee has been focused on trying to clean up the mess and i have been focused on saying Mister Koskinen has to go. I yells back. Thank you, mister jordan. Miss plaskett recognized for five minutes. I think the lovely chairwoman for the opportunity to speak. Thank you for being here. Everyone on both sides of the aisle are concerned about this issue. Most of us have children and have our own Student Loans or loans, as well as constituents. I did want to touch on something a few minutes ago, talking about lawsuits, this is a lawsuit, and a lower default rate with Loan Companies and have propensity to loan to a minority and underserved communities. The default rate of students who have loans is significantly lower than other Loan Companies. I will have to confirm that. The lower default rate is better but i have to confirm that. The portfolios are not the same for competition and sometimes there would be natural differences in the default rates. The Inspector Generals report, the systems were being misused by commercial third parties, something we talked about, things that we are very keen on, and are navigated a difficult system, the first incident into their own finances making decisions. And Student Loan Companies, student loan consolidators. And the special agent in charge of conducting that investigation for the ig, and commercial interests for loan consolidators. The commercial interest is key to me, and signaling companies, leading thousands of accounts, and using information, in a manner to control those accounts . My understanding it is a fee for service, and 1000 clients being charged for those services, it would be a commercial endeavor. Do you have a list of companies that were doing that . We identified some. We obtain a list of every Student Loan Company involved in activities. I dont want to commit a week, two weeks, a month. You give us a month it would be appreciated. To the outside. Special agent in charge, account holders taking advantage, sound outrageous and can you explain not just with aggressively pursuing but what about taking advantage of them. Dont want to speculate, to the extent they are providing services, and can receive correspondence for decisions on behalf and those might benefit them commercially. Are any of the same companies doing business with the permit of education . Not that i know of. We have a responsibility to help protect students from the kind of abuse but very pleased we are having this hearing to go through this. And a followup hearing within the next Student Loan Companies that are engaged in these activities and hope we have the ig from the department of education about what they found. And what you provided us and i hope we are able to do that. I yield back. Thank you. I want to say thank you for your willingness to accommodate me on tour the other night. It was not necessary but i appreciate that and you have the right to ask any witness for information and i am sure that will be followed up so thank you very much. You are recognized for five minutes. I apologize if i review some information that has been discussed in this hearing but raise your hand if you are responsible for fastfood. Gov. Rep the record reflect, raise your hand if you are responsible for the dart tool . All right. Let the record reflect garza and mister corbin raised their hand was october 25, 2016, irs conducted a Risk Assessment and concluded that the dart tool was needing stronger authentication measures. That correct . And set to take into improve the authentication measures . We started to work with the department of education. What did you do since october 25, 2016, to strengthen the dart tool. Increase monitoring on that application. So that we could become alerted should something suspicious happen. Were those efforts successful. In january those efforts that identified suspicious activity and at that time we partner with the department of education to get our two cyberteams together to review suspicious activity and we were informed by the permit of education, it was normal behavior. What steps are being taken to strengthen the authentication of dart . We have developed and implemented on the irs side, working with the department of education. How is encryption going to help with authentication if you have a user that has stolen potentials . The Authentication Solutions and providing application. Encryption on the back end, help with authentication, and stolen credentials. It does not improve authentication. A special applicant. If you have stolen credentials. Are you able to prove that you have the credentials, what do you do to prevent that from happening . There are keys that from the irs share with the department of education. As the applicant comes in and releases data to the department of education, they dont have access, to be encrypt that data, the government of education once it gets to their side, they will be able to decrypt the data. So the applicant so mister gray, how do you respond . What are you doing to strengthen authentication. To authenticate to the end user . We are dealing with proactive measures. It portends to something in the future, and what you have done. And we protect these systems. I referenced them in my opening statement. How does that help with this is the balance, this is an application form. I get that. It is your responsibility to confirm entering the data is indeed the person who owns that data. I recognize that is a tough job. And the theft of 100,000 students, so the dart tool is lacking, my concern is everyone is doing this. And i want to hear that too. The authorities i have are very adequate. In terms of what we are doing, the acceptability of the tool which at this point is a web application where students and prospective borrowers, the level of authentication for that. Disbursing the funds, and we are masking the data so that if an identity thief logs in to the system they will not see the data which would not allow them to exploit this vulnerability. I apologize for going over my time. Without objection i will recognize Mister Duncan for unanimous consent requests. You will not get to me for questions, make unanimous consent in this point. And the Financial Aid administrator of Tennessee College of technology, with problem and email. Thank you very much. Thank you, Mister Duncan. Miss kelly, you are recognized for five minutes. In recent years, hacking Identity Theft and fibers of the crimes have been on the rise. I have been a victim myself, federal agencies do their part to secure the systems but Congress Must acknowledge impact its own access on the ability to agencies to protect their it systems. Many agencies face serious challenges monitoring outdated legacy it systems. And severe budget cuts, and republican control harvesters. And the chief Information OfficerTerrence Mulholland testified, quote, the irs Budget System is the most critical challenge facing it modernization. What are the impact of budget cuts on the ability of the irs to modernize it systems. We putting taxpayers at greater risk . One of the Things Congress did last year. 290 million, we have a portion of that funding, to monitor systems closely, we continue to invest the review program, that allows us to create rules, as returns come in, to evaluate returns for potential fraud and Identity Theft and stop those returns before they are paid out. It is on. I want to thank congress for the money we did receive. That is extremely beneficial and puts Youth Technology in place protecting our systems at a higher level. Then they have done in the past. In this incident itself we were able to address the situation a lot quicker than we would have been able to in the past because of new monitoring capability in the Data Analytics capabilities that are implemented using those resources. Would you say more is needed . We would be thankful for Additional Resources or continued support in this area. It is not just it systems affected by resorts might increase progress on modernization and fibers of the security measures and would require significant Additional Resources in it areas. Do you agree with that assessment . I would agree with the assessment of our needs. I would agree as well. Yet again, congress failed to ensure agencies have resources to carry out their missions, under irs restructure and reform act of 1998 congress gained irs the authority a limited number of individuals, for critical and technical positions at level greater than general schedule rates. The Critical Pay Authority was intended to help the agency attract highly qualified individuals with advanced Technical Expertise who might otherwise be available for Government Service at normal federal levels. The irs uses its authority, from 1998 to 2013. And to make federal government jobs more appealing to highly qualified technical individuals interested in Public Service but earning a much highers chess salary. The streamlined critical pay that we had was beneficial for the irs. Because of that authority we were able to bring on board highlevel architects, engineers and cybersecurity experts. Over the last several years they helped us in sure that we were doing what was needed to secure our perimeter and make sure our systems are running much better. An important component of this is the streamlined part of the critical pay. It