The chef report for federal student aid was mung those who took questions from the House Oversight economy. This is about 2 1 2 hours. Good morning. The economy on oversight and government reform will come to order. Without objection the chair is authorized to declare a recess at any time. The chair notes the presence of our colleague, congressman bobby scott from virginia. We appreciate his interest in this topic and welcome your participation today sir. I asked consent that congressman scot scott be allowed to participate in todays hearing. Without objection it will be so ordered. I would also like to ask yew mannous consent to enter into the records statements from the following social works. The National Association of student aid administrates. The National College network. The National Role on education and epic. Today we are here to talk about a data breach involving a department of education website and an irs webbased application. Every day literally, every series criminal conduct an unphone number of sophisticated and devastating Cyber Attacks against our nation. To get the government ahead of the curve will require more effort opponent of agency heads and chief Information Officers as we began the task of modernizing old outdated requested in secure federal technologies and network architectures. We cannot calibrate or defenses and buy the right security platforms unless we understand the threat. We must be honest and trans pattern about what risks we face and what damage is being done. Ignoring the problem or underestimating the threat, places or nation and its citizens in danger. Once again, we find ourselves and the Oversight Committee investigating a data breach. Hackers were trying to file fraudulent tax returns and steel refunds. To accomplish this crime they turned to federal education fas fa and Free Education student aid on. Government networks. To get the one piece of information that they desired that they couldnt buy in the marketplace they came to the tool. Specifically taxpayers adjusted gross income data. You need that agi tie to awe then katie your identity for the irs and file your tax returns. All hackers needed to do was go to a dark web by cash of american tax payer person identifying information, use that to get into the fas fa dwauf and the tool and they had everything that they needed to steal tax payering citizens refunds. This is the kind of hacking schemes that the federal agencies must be aware of when they make their Services Available on line. If Sensitive Data can be accessed through an john line application it must be secured. The strong awe then case measures and appropriately equipped. Facing the truth is important not only because the incidents effect tens of thousands if not hundreds of thousands of more thans tax payers and probably millions of students applying for student aid, but also because without understanding the threats we face, we cant protect ourselves. It took the Internal RevenueService Almost three months to determine that this was a major data breach incident that required congressional notification per requirements. And the department is still not calling this a Major Incident, and i would like to find out and im sure my colleagues, why. This is not about word smithing, what we call these incidents helps us bring the full weight of the federal government to bear on the cyber response. Getting help to those who have been impact requested making sure the as a rule nashlts are defended. Cyber attack is a treatment port. A leek in the attack one or the other still creates a leak. If we have other organizationss tools or technologies hooked up to our networks and websites then we are responsible. It only takes one vulnerability and everyone east connected is at risk. Whats so troubling about this incident is that it was detected through suspicious activity accidentally. The hackers inadvertently targeted an irs employee, criminals do make dumb mistakes but so do agencies. Id like to thank or dedeks and defense abilities are more advanced than mistakes of criminals relying on the dumb mistakes that they make. We arent going to win this fight unless we understand the threats that we face. The damage that hackers and enemies are doing to us and what we as a congress can do to empower agency heads and cios to protect our networks. The first step in fighting back is wearing or mistakes like a badge. We should follow it with some good and determination to not let it happen to the areas of government that have been entrusted to our charge. And with that i would like to yield to the Ranking Member mr. Cummings. Thank you very much mr. Chairman. No matter who may define it its a Major Incident. Irs or education, im just letting you know its a Major Incident. You can put any kind of definition on it but im telling you it is. I welcome this hearing today. This hearing is about data retrieval, the data retrieval pool, and that is a valid topic that several other committees are also addressing and i too. I want to thank representative scott for joining us to do. He is one who has addressed these issues for many many years and i thank him. Now, what nobody seems to be addressing is the unethical abusive and predatory actions of Student Loan Companies. Last september, the Inspector General issued a report finding that multiple Student Loan Companies, which were supposed to be, supposed to be helping student were actually accessing and changing student law going information as part of predatory schemes to access their accounts, change their regular mail and email addresses, and even intercept correspondents. Thats a major major event. Specifically, the id reported that the process for logging on to the federal student aid website was quote, being use misused by commercial third parties to take over borrow we ares accounts. End of quote. In one case the ig arounded that a Student Loan Company and i quote, exchanged the mailing address, the phone number, and email address for borrowers so it would be difficult for the borrowers to be contacted by loan services. End of quote. In another case the ig found that a company tried to borrow monthly fees to quote, put their loans into fore beerns with the stated promise of eventually enrolling them in the Public Service loan for giveness or somor Debt Reduction program even though the borrowers in some cases were not qualified for these programs. End of quote. This is major. The ig also found these companies were able to quote, intercept all of the borrowers emails, correspondents including password resets via email, important email notices and direct communication from fs a or the loan services. End of quote. Less than two weeks ago on april the 20th or Committee Staff conducted a trans scribed interview with a special agent in charge of this investigation at the Inspector Generals office. This is what he told us. He warn that these companies and i quote, were controlling thousands of accounts or creating thousands of accounts and controlling them. End of quote. In other words, the very companies that were supposed to be helping student were actually abusing their trust. These practices are rep prehence bl but the ig reported that it could not prosecute these Student Loan Companies because of technicalities. Apparently these companies force student to sign powers of attorneys to get loans so the companies presumably can try to argue that they were authorized engaged in these abusive activities. Something is offully wrong with that picture. It is outrageous that these Companies Got away with behavior they must have known was wrong. Not must have known, they knew was wrong. Im eager to hear from todays witnesses about improvements necessary to hold these Student Loan Companies accountable for engaging in these deceptive and abusive practices. In addition as we will hear today, criminals were able to compromise the data retreefl tools which is used to link student Tax Information to Financial Aid and student loan accounts online. These criminals then used this information to file fraudulent tax returns. It is unacceptable that student have to deal with the abusive practices and predatory Loan Companies, as well as the increase threats of Identity Theft. It is critical that we crack down on these criminal elements and improve the security of the systems. Congress also needs to support these efforts. Severe budget cuts in recent years had made it more difficult to make critical improvements and Information Technology. President trumps Budget Proposal and staff reduction directives would exacerbate these challenges. Finally, if we really really want to protect student from the abuses we are addressing here today, congress obviously cannot abolish the department of education as some of my colleagues have proposed. We must support and increase our nations investments in our student. As i often say, our children are the living messages we set to a future we will never see, the question is how will we send them. The question is how will we protect them. And this is that moment, this is our watch. With that mr. Chairman i yield back. Thank you. I will hold the record open for five legislative days for my members who would like to submit a written statement. We will now recognize our panel of witnesses. Im pleased to welcome mr. James rency the chief operating officer, officer of the Student Aid Department of education. Mr. Jason gray. Chief direction officer from the department of education. Mr. Savannah gina garza, chief officer of the Internal Revenue service. The horizontal kenneth cole man. And mr. Timothy cay must, the department Inspector General for investigations, treasure Inspector General for the Tax Administration. We welcome all of you and thank you for being here this morning. Pursuant to Committee Rules all witnesses will be sworn in before they testify. Would you please rise and raise your right hand. Do you solemnly swear or affirm that the testimony youre about to give will be the truth, whole truth and nothing but the truth . I do. Thank you please be seated. Let the record reflect that the witnesses answered in the affirmative. In order to allow time for discussion we would appreciate it if you would please lim your oral testimony to five minutes each. Your entire written statement will be made a part of the record. And with that im pleased to recognize mr. Rentsy for five minutes. Thank you chairman russell. Ranking member cummings and members of the committee for the opportunity to join you today. Ill discuss the events that led to the data tool or dip willing disabld and the actions weve taken to assist student, parents borrowers and schools. Fs a delivered more than 125 billion in aid to over 13 million student attended more than 6,000 schools last year. F surgical a is committed to save guarding tax permissions as we guard access for safety student aids and their family. During my ten years at fs a weve managed the dprut of the direct loan portion for the student Loan Portfolio from 9. 2 million recipient and 9. 2 million to recipient. One of Critical Resources that have assisted in this growth is the drt. It game available in 2010 duringizer j fs a and provide fs a customers an effective way to transfer required irs Tax Information. Each year about half of the 20 million fas fa filers use the drt and another 4. 5 million borrowers use the tools for the income driven. In total over 50 million fas fa applications has utilized the drt since its inception. Using it saved many of applicants time and lowered the verification hurtle for schools and their dedicated staff and financial professionals. Following a security pretty much last year the fs a contacted s s a about a dit vulnerability. The join goal was to minimize the vulnerability would causing a major disruption to our customers. We agreed to keep the drt in operation by minimizing the tool for sufficient activity. The i s a evaluated Many Solutions it could, be innovative with both applications and increase the information for tax payer information. Many solutions did not meet the required security threshold or resulted in too be applicants being able to access student aid. In february we agreed to development and in criminate an in kripgs solution. This solution will be em employeed for 2018 slash 19 acard you beginning october 1st, 2017. Well continue to monitor the applications for the current award year and still allow for drt use. A march 3, the ira notified the suspicious activity and suspended its use. It involves bad architect for who obtained information elsewhere and began filling out fas fa and utilize tax payer information through the the drt. This could be used to file fraudulent tax returns. I want to reiterate we have no evidence or personal information from the Department Systems were accessed. However evidence to criminals were starting to exploit the vun rational of the drt using the tool was no longer an option. The solution to bring back the drt will allow Tax Information to be transferred but it will encrypt the information and hide it from the applicants view. For the idr application we are targeting the i know of may to have the drt functionality available to applicants. We are scheduled to meet october first timing for the 18 19 year. Kons questioningly were reminding student, parents and borrowers they can still apply for aid and repayment plans without the drt. Ongoing effort involve utilizing all of our communication resources, Digital Properties and venders and leverages the Financial Aid community. The Department Also issued a communication in schools extending flexibility regarding verification procedures. I appreciate the opportunity to provide you with this information and i welcome any questions you may have here today. Thank you. Thank you. The chair now recks mr. Gray for five minutes. Thank you chairman russell and Ranking Member cummings and member of the committee. Im jason gray, c irk o for the department of education position ive had the privilege of Holding Since june of 2016. I appreciate the opportunity to speak with you today on a Cyber Security incident that let to the shut down of the irs data retrieval tool. As c irk o i embrace and fostering Educational Excellence and ensuring equal access by ensuring we apply Information Technology effectively, sufficiently and securely. I take this responsibility seriously and understand that this includes the entire department including federal student aid and all principal and support offices. When we became aware that the irs had confirmed that had tax data accessed through the fas fa link through the drt may have been used to fraudulent file tax returns we activated our immediate responses. This enabled to gathering data and understand the incident. We held daily meetings to facility communication between the technical staff of my office, federal student aid and the irs. We reported the incident to the office to our office of the Inspector General and to the United States commuter Emergency Readiness Team at homeland security. While the Department Systems were involved this was in essence scheme directed at retrieving tax data from the irs. There is no evidence that the malicious actor were able to access any information from the Department System. I am confident the personal information the department has on borrowers, student and parents remain appropriately protected. I will explain further actions weve taken to further help and strength our program to protect Sensitive Data and pri thats managed by the department. Security is a priority for the defendant. We created a response to address and data breach response processes. In 2016 the department conducted two incidents response table top exercises that helped us refine or Incident Response process through the development of Lessons Learned and identification of actions the department needed to enhance our overall Incident Response process. The department has implemented a number of technical controls and solutions to detect policy violations, unauthorized changes and unauthorizeding a access to the deputys net work. This includes a data loss preference solution which restricts such as Social Security numbers outs