Nation in front of his own interests because thats what jackson did for most of his presidency. Sunday night at 8 00 eastern on cspans q a. The House OversightCommittee Held a hearing on a data breach in the Online Student loan application known as fafsa. Hackers used a flaw in the system to steal irs filing information on as many as 100,000 taxpayers. Irs and Education Department officials testified at this two and a half hour hearing. Good morning. The committee on oversight and government reform will come to order. Without objection, the chair is authorized to declare a recess at any time. The chair notes the presence of our colleague congressman bobby scott from virginia. We appreciate his interest in this topic and welcome your participation today, sir. I ask unanimous consent that he be allowed to fully participate in todays hearing. Without objection, it will be so ordered. I would also like to ask unanimous consent to ent sbeer the record statements from the following organizations, the National Association of Student Financial aid administrators, National College access network, the American Council on education and epic. Today we are here to talk about a data breach involving a department of education website and an irs web based application. Every day literally adversaries and criminals conduct an unknown number of sophisticated and devastating Cyber Attacks against our nation. To get the ghoft ahead of the curve will require even more effort on the part of agency heads and chief Information Officers as we begin the task of modernizing old outdated and insecure federal technologies and network architectures. But we cannot calibrate our defenses and buy the right security platforms unless we understand the threat. We must be honest and transparent about what risks that we face. And what damage is being done, ignoring the problem or underestimating the threat places our nation and its citizens in danger. Once again, we find ourselves in the Oversight Committee investigating a data breach. Hackers were trying to file fraudulent tax returns and steal reforms to accomplish this crime they turned to the department of educations fafsa or free application for federal student aid. Gov network, and the data retrieval tool which was designed to try to aid in financial applications. To get the one piece of information that they desired that they couldnt buy in the marketplace, they came to the tool. Specifically, taxpayers adjusted gross income data. You need that agi to awe then kate the identity for the irs and file tax returns so all hackers needed to do was go to the dark web by a cache of american taxpayer personally identifiable information, use that to get in to the fafsa. Gov and the data retrieval tool and then they had everything that they needed to steal tax paying citizens refunds. This is exactly the kind of hacking scheme that the federal agencies must be aware of when they make their Services Available online. If Sensitive Data can be accessed through an online application, it must be secured with strong authentication measures and appropriately encrypted. We need to call these events what they are. Data breaches and Major Incidents. Facing the truth is important not only because the incidents ultimately affect hundreds of thousands taxpayers and probably millions of students applying for student aid, but it also because without understanding the threats we face we cant protect ourselves. It took the Internal RevenueService Almost three months to determine that this was a major data breach incident that required congressional notification per fisma requirements and the department is still not calling this a Major Incident and i would like to find out and im sure my colleagues why. This is not about word smithing. What we call these incidents helps us bring the full weight of the federal government to bear on the cyber response. Getting help to those that have been impacted and making sure the vulnerabilities are defended. Cyber security is a team sport. A leak at one end of the pipe or the other still creates a leak. Agencies must safeguard their data and make sure it goes where they intend. If we have other organizations tools or technologies hooked up to our networks or websites then we are responsible. It only takes one vulnerability and then everyone connected to that vulnerability is at risk. What is so troubling about this incident is that it was detected through suspicious activity accidentally. The hackers inadvertently targeted an irs employee. Criminals do make dumb mistakes. But so do agencies. Id like to thank our detection and defense abilities are more advanced than mistakes of criminals relying on the dumb mistakes that they make. We arent going to win this fight unless we understand the threat that is we face. The damage that hackers and enemies are doing to us and what we as a congress can do to empower agency heads and cios to protect our networks. The first step in fighting back is wearing our mistakes like a badge. We should follow it with some grit and determination to not let it happen to the areas of government that have been entrusted to our charge. And with that, i would like to yield to the Ranking Member, mr. Cummings. Thank you, very much, mr. Chairman. No matter who may define it, this is a Major Incident. Education. Im just letting you know. Its a Major Incident. You can put any kind of definition on it. But im telling you it is. I welcome this hearing today. This hearing is about data retrieval, the data retrieval tool and that is a valid topic that several other committees are also addressing and i, too, mr. Chairman, want to thank representative scott for joining us today. He is one who has addressed these issues for many, many years and i thank him. Now, what nobody seems to be addressing is the unethical abusive and predatory actions of Student Loan Companies. Last september, the Inspector General issued a report finding that multiple Student Loan Companies which were supposed to be supposed to be helping students were actually accessing and changing student logon information as part of predatory schemes to access their accounts, change their regular mail and email addresses and even intercept correspondence. Thats a major, major event. Specifically, the ig reported that the process for logging on to the federal student aid website was, quote, being misused by commercial third parties to take over borrowers accounts. End of quote. In one case, the Inspector Generalg warned that a Student Loan Company, and i quote, changed the mailing address, the phone number and email address for borrowers so that it would be difficult for the biorowers to be contacted by loan servicers. End of quote. In another case, the ig found a company charged borrowers monthly fees to, quote, put their loans into fore bear ance with the stated promise of eventually enrolling them in the Public Service loan forgiveness or some other Debt Reduction program, even though the borrowers in some cases were not qualified for these programs. End of quote. This is major. The ig also found that these companies were able to, quote, intercept all of the borrowers emails, correspondence, including password resets, via email, important email notices, and direct communication from fsa or the loan servicer. End of quote. Less than two weeks ago on april 20th, our Committee Staff conducted a transcribed interview with the special agency in charge of this investigation at the Inspector Generals office. This is what he told us. He warmed that these companies and i quote, were controlling thousands of accounts. Or creating thousands of accounts and controlling them. End of quote. In other words, the very companies that were supposed to be helping students were actually abusing their trust. These practices are reprehencible but the ig reported that it could not prosecute these Student Loan Companies because of technicalities. Apparently, these companies force students to sign powers of attorney to get loans so the companies presumably could try to argue that they were authorized, engaged in these abusive activities. Something is awfully wrong with that picture. It is outrageous that these companies effectively got away with behavior. They must have known was wrong. No, not must have known. They knew was wrong. Im eager to hear from todays witnesses about improvements necessary to hold these Student Loan Companies accountable for engaging in these deceptive and abusive practices. In addition, as we will hear today, criminals were able to compromise the data retrieval tool which is used to link student Tax Information to Financial Aid and student loan accounts online. These criminals then used this information to file fraudulent tax returns. It is unacceptable that students have to deal with the abusive practices and predatory Loan Companies as well as the increased threats of Identity Theft. It is critical that we crack down on these criminal elements and improve the security of of these systems. Congress also needs to support these efforts. Severe budget cuts in recrept years have made it more difficult to make critical improvements in Information Technology. President trumps Budget Proposal and staff reduction directives would exacerbate these challenges. Finally, if we really, really want to protect students, from the abuses we are addressing here today, congress obviously cannot abolish the department of education. As some of my colleagues have proposed. We must support an increase our nations investments in our students. As i often say, our children are the living messages we send to a future we will never see. The question is how will we send them . The question is, how will we protect them . And this is that moment. This is our watch. And with that, mr. Chairman, i yield back. Thank you. I will hold the record open for five legislative days for any members who would like to submit a written statement. We will not recommends our panel of witnesses. Im pleased to welcome mr. James runcie, the chief operating officer, office of the federal Student Aid Department of education. Mr. Jason gray, chief Information Officer from the department of education. Ms. Ji yeah garza, chief Information Officer of the Internal Revenue service. The honorable kenneth corbin, commissioner, wage and Investment Division of the Internal Revenue service. And mr. Timothy camus, the deputy Inspector General for investigations, treasury Inspector General for the tax administration. We welcome all of you and thank you for being here this morning. Pursuant to committee rules, all witnesses will be sworn in before they testify. Would you please raiise and rai your right hand . Do you solemnly swear or affirm the testimony you are about to give will be the truth, the whole truth and nothing but the truth . Thank you. Please be seated. Let the record reflect that the witnesses answered in the affirmative. In order to allow time for discussion, we would appreciate it if you would please limit your oral testimony to five minutes each. Your entire written statement will be made a part of the record. And with that, im pleased to recognize mr. Runcie for five minutes. Thank you, chairman russell, Ranking Member cummings and members of the committee for the opportunity to join you today. Ill discuss the events that led to the data retrivial tool disabled, the plan to restore the tool and the actions we have taken to assist students, parents, borrowers and schools. As a largest source of aid in the u. S. , fsa delivered 125 billion in aid attending 6,000 schools last year. Fsa committed to safeguarding taxpayer interests with access to student aid for students and families. During my tenure at fsa we have managed the growth of the direct loan portion of the student Loan Portfolio from 9. 2 million recipients and 155 billion to 32 million recipients and approximately 1 trillion. One of the Critical Resources that has assisted the department in this growth is the drt. It first became available in 2010 through the joint efforts of the irs and fsa. And provides fsas customers effective way to transfer required irs Tax Information. Each year, about half of the 20 million fsa filers use the drt and 4. 5 million borrowers use the tool for the plans. In total, over 55 million fsa and itr have used it since the inception. Using the drt saved millions of hours of time, reduced improper payments by billions of dollars and lowered the hurdle of schools and dedicated staff of Financial Aid professionals. Following a review last year, the agency contacted fsa about a potential drt vulnerability. The joint goal of the irs and fsa was to minimize the potential vulnerability without causing a major disruption to our discuss merles. We agreed to keep the drt operational while increasing the monitor of the tool for suspicious activity. The irs and fsa evaluated many sloougss that could be integrated with both applications and would increase the protection of taxpayer information. Many solutions did not meet the required security and privacy threshold or resulted in too many applicants unable to access federal student aid. In february we agreed to develop and implement an encryption solution. This solution would be employed for the 201819 award year beginning october 1 rs, 2017. The irs and fsa also agreed that we would continue to monitor the applications for the current award years and still allow for drt use. On march 3rd, the irs alerted fsa of suspicious activity related to the drt and suspended its use. The suspicious activity involved bad actors obtaining special information elsewhere and began fills out fsas to access taxpayer information from the irs through the drt. This information could then be used to file fraudulent tax returns. I want to reiterate that we have no evidence that any personal information from the Department Information from the department were accent. We are starting to exploit the potential vulnerability. For the drt, for the idr application, we are targeting end of may to applicants. For the facts that we are schedule to meet of the timing for the launch due to benefits of current award years of 17 18 will not have the drt available for the remainder of award year. We are reminding students and buyers they can apply for the payment plan without drt. Our ongoing efforts yuutilizing resources and vendors. The Department Also issued a communication of flexibilities regarding verification procedures. I appreciate the opportunity to provide you the information and i welcome any questions you may have here today. Thank you. Thank you, the chair now recognizes mr. Grace for five minutes. Thank you, chairman and russell and Ranking Member cummings and jason gray and the position i have had the privilege of Holding Since june of 2016. I appreciate the opportunity to speak with you today that led to the shut down of the irs data retrieval tool. As a cio, i embrace of promoting students achievement and competitiveness and fostering Education Excellence and ensuring equal access by ensuring that we apply Information Technology effectively and securely. I understand that this includes the entire department including federal student aid and all principle offices. We immediately activated our response processes. This involves coordination of security operation and Center Resources together for forensic data and to a better understanding to incidents. Additionally we reported the incident to our Office General and to the United States and homeland security. While the Department Systems were involved, this was not a scheme directed or retrieving tax data from the irs. There is no evidence that the malicious actors were able to access any personal information from the departments systems. I am confident that personal information that the department has on borrowers on students and parents remaining perfectly detected. Response is a priority for the department. We are finding work groups to address Cyber Security incidence. The department needed to enhance our overall incidence response process. The department implemented a number of technical controls and violations and unauthorized changes. This includes Data Loss Prevention solutions which restrict users sending emails containing pai. In