Lawmakers press IRS, Education on cyber weaknesses

Two House committees pressed the Internal Revenue Service and the Department of Education on information security concerns for a key online tool that facilitates student applications for financial aid and handles millions Social Security numbers.

Education is responsible for securing sensitive information of students and parents -- including 139 million Social Security numbers -- and relies on the IRS's Data Retrieval Tool (DRT) to automatically link families' tax information to students' applications for federal financial aid.

However, the agencies took the tool offline March 9 in response to concerns raised about potential cybersecurity weaknesses. In a joint statement, IRS and Education said families would have to manually provide the requested financial information from copies of their tax returns while the tool remains offline "for several weeks."

The statement characterized the move as "precautionary" and assured that "no additional action is needed by taxpayers" while the issue is resolved.

However, in letters to IRS Commissioner John Koskinen and Education Secretary Betsy DeVos, eight House members -- Republicans and Democrats from the committees on Oversight and Government Reform and Education and the Workforce -- expressed concerns about the tool's possible vulnerabilities and the scope of the information at risk.

Education's "ability to protect the information it collects, stores and transmits is a cybersecurity concern that transcends the agency itself and has the potential to affect the security of our nation," the letter reads.

"Millions of students applying for federal financial aid each year use the DRT, and a loss of functionality, even for days or weeks, has the potential to cause significant disruptions," the lawmakers wrote. "This is especially true for first-generation and low-income students who rely on the DRT tool, and for students in states that had not yet reached state priority deadlines for applying for financial aid when the DRT was taken offline."

The lawmakers requested information on when and how the agencies first became aware of a possible vulnerability, when IRS and Education notified U.S. CERT, the FBI and their inspectors general about the security concerns, as well as any discrepancy between the date that IRS approved taking DRT out of service and the date it was taken offline.

The lawmakers also asked about any recommendations shared between IRS and Education in the last year about DRT's operations or security, the scope of information that may have been compromised and any communications about whether to classify the security concerns as a "major incident," as defined by the Office of Management and Budget.

Additionally, they asked if IRS or Education has any plans to provide credit monitoring or other post-incident recovery services to those potentially affected.

The committees requested the information by March 30, as well as a briefing to ask further questions.