IRS notifies 100K of potential FAFSA data breach

Blog Post
In early April, the IRS began sending approximately 100,000 breach notification letters to individuals whose personal information may have been used to access the U.S. Department of Education’s Free Application for Federal Student Aid (FAFSA) website. The FAFSA website includes an IRS Data Retrieval Tool (DRT) which allows FAFSA applicants to automatically import tax data from the IRS into the relevant portions of the FAFSA application. In order to use the IRS DRT, the applicant must provide some personal information and be authenticated to receive additional tax data. The IRS recently became concerned that unauthorized individuals were using data they had obtained elsewhere to access tax data from the IRS DRT, in an attempt to possible file false tax returns. The IRS is unable to differentiate between someone who was legitimately accessing the tool with his or her own personal information, and someone who was accessing the tool with another person’s information for nefarious purposes. As such, anyone whose information was used to access the tool is receiving notice.

The IRS is offering one free year of credit monitoring to affected individuals. The IRS website includes FAQs on this incident. Those FAQs explain that individuals affected by this incident may not necessarily be victims of identity theft, and should not have had any issues filing their taxes.

“Using the Data Retrieval Tool is a separate process from filing a tax return. If there’s an issue with your tax return or tax refund, the IRS will contact you by mail with specific details and instructions.” Even so, “the IRS will take an extra precautionary step to mark [each affected individual’s] tax account to protect the taxpayer from possible tax-related identity theft.”

As the Department of Education FAFSA website reports, “The IRS DRT was turned off following concerns that data from the tool could be used by identity thieves to file fraudulent tax returns. Once enhancements are made to encrypt or mask the sensitive data, the IRS DRT will be reactivated.” The website reports that the tool will be activated in the fall.
Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.