Nation in front of his own interests because thats what jackson did for most of his presidency. Sunday night at 8 00 eastern on cspans q a. The House OversightCommittee Held a hearing on a data breach in the Online Student loan application known as fafsa. Hackers used a flaw in the system to steal irs filing information on as many as 100,000 taxpayers. Irs and Education Department officials testified at this two and a half hour hearing. Good morning. The committee on oversight and government reform will come to order. Without objection, the chair is authorized to declare a recess at any time. The chair notes the presence of our colleague congressman bobby scott from virginia. We appreciate his interest in this topic and welcome your participation today, sir. I ask unanimous consent that he be allowed to fully participate in todays hearing. Without objection, it will be so ordered. I would also like to ask unanimous consent to ent sbeer the record statements from the following organizations, the National Association of Student Financial aid administrators, National College access network, the American Council on education and epic. Today we are here to talk about a data breach involving a department of education website and an irs web based application. Every day literally adversaries and criminals conduct an unknown number of sophisticated and devastating Cyber Attacks against our nation. To get the ghoft ahead of the curve will require even more effort on the part of agency heads and chief Information Officers as we begin the task of modernizing old outdated and insecure federal technologies and network architectures. But we cannot calibrate our defenses and buy the right security platforms unless we understand the threat. We must be honest and transparent about what risks that we face. And what damage is being done, ignoring the problem or underestimating the threat places our nation and its citizens in danger. Once again, we find ourselves in the Oversight Committee investigating a data breach. Hackers were trying to file fraudulent tax returns and steal reforms to accomplish this crime they turned to the department of educations fafsa or free application for federal student aid. Gov network, and the data retrieval tool which was designed to try to aid in financial applications. To get the one piece of information that they desired that they couldnt buy in the marketplace, they came to the tool. Specifically, taxpayers adjusted gross income data. You need that agi to awe then kate the identity for the irs and file tax returns so all hackers needed to do was go to the dark web by a cache of american taxpayer personally identifiable information, use that to get in to the fafsa. Gov and the data retrieval tool and then they had everything that they needed to steal tax paying citizens refunds. This is exactly the kind of hacking scheme that the federal agencies must be aware of when they make their Services Available online. If Sensitive Data can be accessed through an online application, it must be secured with strong authentication measures and appropriately encrypted. We need to call these events what they are. Data breaches and Major Incidents. Facing the truth is important not only because the incidents ultimately affect hundreds of thousands taxpayers and probably millions of students applying for student aid, but it also because without understanding the threats we face we cant protect ourselves. It took the Internal RevenueService Almost three months to determine that this was a major data breach incident that required congressional notification per fisma requirements and the department is still not calling this a Major Incident and i would like to find out and im sure my colleagues why. This is not about word smithing. What we call these incidents helps us bring the full weight of the federal government to bear on the cyber response. Getting help to those that have been impacted and making sure the vulnerabilities are defended. Cyber security is a team sport. A leak at one end of the pipe or the other still creates a leak. Agencies must safeguard their data and make sure it goes where they intend. If we have other organizations tools or technologies hooked up to our networks or websites then we are responsible. It only takes one vulnerability and then everyone connected to that vulnerability is at risk. What is so troubling about this incident is that it was detected through suspicious activity accidentally. The hackers inadvertently targeted an irs employee. Criminals do make dumb mistakes. But so do agencies. Id like to thank our detection and defense abilities are more advanced than mistakes of criminals relying on the dumb mistakes that they make. We arent going to win this fight unless we understand the threat that is we face. The damage that hackers and enemies are doing to us and what we as a congress can do to empower agency heads and cios to protect our networks. The first step in fighting back is wearing our mistakes like a badge. We should follow it with some grit and determination to not let it happen to the areas of government that have been entrusted to our charge. And with that, i would like to yield to the Ranking Member, mr. Cummings. Thank you, very much, mr. Chairman. No matter who may define it, this is a Major Incident. Education. Im just letting you know. Its a Major Incident. You can put any kind of definition on it. But im telling you it is. I welcome this hearing today. This hearing is about data retrieval, the data retrieval tool and that is a valid topic that several other committees are also addressing and i, too, mr. Chairman, want to thank representative scott for joining us today. He is one who has addressed these issues for many, many years and i thank him. Now, what nobody seems to be addressing is the unethical abusive and predatory actions of Student Loan Companies. Last september, the Inspector General issued a report finding that multiple Student Loan Companies which were supposed to be supposed to be helping students were actually accessing and changing student logon information as part of predatory schemes to access their accounts, change their regular mail and email addresses and even intercept correspondence. Thats a major, major event. Specifically, the ig reported that the process for logging on to the federal student aid website was, quote, being misused by commercial third parties to take over borrowers accounts. End of quote. In one case, the Inspector Generalg warned that a Student Loan Company, and i quote, changed the mailing address, the phone number and email address for borrowers so that it would be difficult for the biorowers to be contacted by loan servicers. End of quote. In another case, the ig found a company charged borrowers monthly fees to, quote, put their loans into fore bear ance with the stated promise of eventually enrolling them in the Public Service loan forgiveness or some other Debt Reduction program, even though the borrowers in some cases were not qualified for these programs. End of quote. This is major. The ig also found that these companies were able to, quote, intercept all of the borrowers emails, correspondence, including password resets, via email, important email notices, and direct communication from fsa or the loan servicer. End of quote. Less than two weeks ago on april 20th, our Committee Staff conducted a transcribed interview with the special agency in charge of this investigation at the Inspector Generals office. This is what he told us. He warmed that these companies and i quote, were controlling thousands of accounts. Or creating thousands of accounts and controlling them. End of quote. In other words, the very companies that were supposed to be helping students were actually abusing their trust. These practices are reprehencible but the ig reported that it could not prosecute these Student Loan Companies because of technicalities. Apparently, these companies force students to sign powers of attorney to get loans so the companies presumably could try to argue that they were authorized, engaged in these abusive activities. Something is awfully wrong with that picture. It is outrageous that these companies effectively got away with behavior. They must have known was wrong. No, not must have known. They knew was wrong. Im eager to hear from todays witnesses about improvements necessary to hold these Student Loan Companies accountable for engaging in these deceptive and abusive practices. In addition, as we will hear today, criminals were able to compromise the data retrieval tool which is used to link student Tax Information to Financial Aid and student loan accounts online. These criminals then used this information to file fraudulent tax returns. It is unacceptable that students have to deal with the abusive practices and predatory Loan Companies as well as the increased threats of Identity Theft. It is critical that we crack down on these criminal elements and improve the security of of these systems. Congress also needs to support these efforts. Severe budget cuts in recrept years have made it more difficult to make critical improvements in Information Technology. President trumps Budget Proposal and staff reduction directives would exacerbate these challenges. Finally, if we really, really want to protect students, from the abuses we are addressing here today, congress obviously cannot abolish the department of education. As some of my colleagues have proposed. We must support an increase our nations investments in our students. As i often say, our children are the living messages we send to a future we will never see. The question is how will we send them . The question is, how will we protect them . And this is that moment. This is our watch. And with that, mr. Chairman, i yield back. Thank you. I will hold the record open for five legislative days for any members who would like to submit a written statement. We will not recommends our panel of witnesses. Im pleased to welcome mr. James runcie, the chief operating officer, office of the federal Student Aid Department of education. Mr. Jason gray, chief Information Officer from the department of education. Ms. Ji yeah garza, chief Information Officer of the Internal Revenue service. The honorable kenneth corbin, commissioner, wage and Investment Division of the Internal Revenue service. And mr. Timothy camus, the deputy Inspector General for investigations, treasury Inspector General for the tax administration. We welcome all of you and thank you for being here this morning. Pursuant to committee rules, all witnesses will be sworn in before they testify. Would you please raiise and rai your right hand . Do you solemnly swear or affirm the testimony you are about to give will be the truth, the whole truth and nothing but the truth . Thank you. Please be seated. Let the record reflect that the witnesses answered in the affirmative. In order to allow time for discussion, we would appreciate it if you would please limit your oral testimony to five minutes each. Your entire written statement will be made a part of the record. And with that, im pleased to recognize mr. Runcie for five minutes. Thank you, chairman russell, Ranking Member cummings and members of the committee for the opportunity to join you today. Ill discuss the events that led to the data retrivial tool disabled, the plan to restore the tool and the actions we have taken to assist students, parents, borrowers and schools. As a largest source of aid in the u. S. , fsa delivered 125 billion in aid attending 6,000 schools last year. Fsa committed to safeguarding taxpayer interests with access to student aid for students and families. During my tenure at fsa we have managed the growth of the direct loan portion of the student Loan Portfolio from 9. 2 million recipients and 155 billion to 32 million recipients and approximately 1 trillion. One of the Critical Resources that has assisted the department in this growth is the drt. It first became available in 2010 through the joint efforts of the irs and fsa. And provides fsas customers effective way to transfer required irs Tax Information. Each year, about half of the 20 million fsa filers use the drt and 4. 5 million borrowers use the tool for the plans. In total, over 55 million fsa and itr have used it since the inception. Using the drt saved millions of hours of time, reduced improper payments by billions of dollars and lowered the hurdle of schools and dedicated staff of Financial Aid professionals. Following a review last year, the agency contacted fsa about a potential drt vulnerability. The joint goal of the irs and fsa was to minimize the potential vulnerability without causing a major disruption to our discuss merles. We agreed to keep the drt operational while increasing the monitor of the tool for suspicious activity. The irs and fsa evaluated many sloougss that could be integrated with both applications and would increase the protection of taxpayer information. Many solutions did not meet the required security and privacy threshold or resulted in too many applicants unable to access federal student aid. In february we agreed to develop and implement an encryption solution. This solution would be employed for the 201819 award year beginning october 1 rs, 2017. The irs and fsa also agreed that we would continue to monitor the applications for the current award years and still allow for drt use. On march 3rd, the irs alerted fsa of suspicious activity related to the drt and suspended its use. The suspicious activity involved bad actors obtaining special information elsewhere and began fills out fsas to access taxpayer information from the irs through the drt. This information could then be used to file fraudulent tax returns. I want to reiterate that we have no evidence that any personal information from the Department Information from the department were accent. We are starting to exploit the potential vulnerability. For the drt, for the idr application, we are targeting end of may to applicants. For the facts that we are schedule to meet of the timing for the launch due to benefits of current award years of 17 18 will not have the drt available for the remainder of award year. We are reminding students and buyers they can apply for the payment plan without drt. Our ongoing efforts yuutilizing resources and vendors. The Department Also issued a communication of flexibilities regarding verification procedures. I appreciate the opportunity to provide you the information and i welcome any questions you may have here today. Thank you. Thank you, the chair now recognizes mr. Grace for five minutes. Thank you, chairman and russell and Ranking Member cummings and jason gray and the position i have had the privilege of Holding Since june of 2016. I appreciate the opportunity to speak with you today that led to the shut down of the irs data retrieval tool. As a cio, i embrace of promoting students achievement and competitiveness and fostering Education Excellence and ensuring equal access by ensuring that we apply Information Technology effectively and securely. I understand that this includes the entire department including federal student aid and all principle offices. We immediately activated our response processes. This involves coordination of security operation and Center Resources together for forensic data and to a better understanding to incidents. Additionally we reported the incident to our Office General and to the United States and homeland security. While the Department Systems were involved, this was not a scheme directed or retrieving tax data from the irs. There is no evidence that the malicious actors were able to access any personal information from the departments systems. I am confident that personal information that the department has on borrowers on students and parents remaining perfectly detected. Response is a priority for the department. We are finding work groups to address Cyber Security incidence. The department needed to enhance our overall incidence response process. The department implemented a number of technical controls and violations and unauthorized changes. This includes Data Loss Prevention solutions which restrict users sending emails containing pai. In 2016, the department implemented Network Access control which prevents connection by any author. The department has partnered with dhs of Automated Solutions for continuous diagnostic and mitigati mitigation. I thank you for the opportunity, the department of education and the irs continues working together to continuously enhance the security and Privacy Protection around this important capabilities. I am confident that the technical solution is currently being worked will achieve this goal. I will be pleased to answer any questions you may have. Thank you. The chair now recognizes miss garza for five minutes. Thank you for the opportunity to appear before you to discuss the Cyber Security incident. I have been a Public Servant for over 32 years. I am Information Technology executive for the last 17. Recently i became the chief officer having serve as the four years prior. During this time, i have seen a dramatic change in the number and types of criminal enterprises that criminals use to try to get the data that we are committed to protecting. The irs added tutor approach to work Cyber Security and fraud have also changed. We understand that the enemy is ever changing and we must stay diligent in assessing our posture and improving our defenses. We know that we all share responsibility to ensure Cyber Security embedded in every part of our operation. Stepping into the role of cio eight months ago, i established two priorities. Cyber security and delivering a successful season. Having been an executive in the operating season, i apprecia appreciate we did not take lightly the decision to disable the drt tool. We knew that doing so had the potential to disrupt millions of students applying for federal Financial Aid. I believe we made a sound decision, one which will protect the data of 175 million americans. This is our highest priority. I appreciate your decision to conduct a public hearing on this subject. As i believe it is critical that we continue to raise awareness of widespread cyber and Identity Theft that we are facing across the globe today. Everyday thousands of individuals and all victims of Identity Theft, government and private second Stor Companies al being bombarded. We, the irs have a front row seat. Everyday, the irs receives on millions of attempts to penetrate our system. Identity theft is a major threat. Wh we assess the risk determining that we should shut down our application. The practice of shutting down until we mitigated the risks. In prior situations no other agencies was involved. The situation was different. The department of education was highly dependant for the success of its program and to serve its customers. We would not make the decision to shut down in the decision process. We discuss the need to raise the level of the department of education. This can be done of the department of education website or at the point the applicant votes the drt tool. The department of education needed to have a user friendly solution in place. This made it undesirable to implement a solution that would cost about 70 of applicants to be unable to complete the process. We continue to collaborate the department of ed to find an alternative solution to protect the data. At that time there was no evidence of data loss or fraud. We agree to not shut down the application. We were always clear that the moment that we had evidence of data loss or fraud, well turn off the data retrieval tool. In conclusion, protecting data is our highest priorities. This threat is persistent and ever change. There will always be more work to be done. This concludes my oral testimony, i will be happy to answer your questions. Thank you. The chair now recognizes mr. Corbin for five minutes chairman council, i am the new commissioner of the irs and Investment Division having start this position at the beginning of the year. My responsibility includes overseeing the processing of tax returns, issuance of refunds and providing the best taxpayers service, thank you for the opportunity to testify. My colleague miss garza had described the work that i have been doing. I will put that in a broader context of how we are working to save guard all of our programs where we share taxpayers information. I will also update the committee on our efforts to help taxpayers who may have been affected by the incident earlier this year involving in drt. An important focus of the irs efforts to protect taxpayers data is ongoing, stolen identity refund. We made progress over the last few years against this threat. This threat is constantly evolving. To address this challenge, the irs has worked to increase our ability to monitor, detect and analyze suspicious activities within our system. Congress helped us by approving 290 million and additional funding in 2016 which included 95 million to improve Cyber Security. We used a portion of that funding for monitoring equipment and other capabilities that are sophisticated than we previously had. This is how things are detect and unusual activities and various online tools and applications more quickly. Despite all the progress that we made, we realize that we cannot relax the fight against Identity Theft. We are finding that as the irs enhances, returning process and filters, catching more fraudulent returns of the time of filing. Criminals attempt becoming more sophisticated at mimicking taxpayers ed taxpayers identity so they can successfully obtain fraudulent refund. The irs are working and not just reacting better. Student aid is an area where we have been concerned of the ability of bad actors or fraudulently obtaining fraudulent. In investing the incident this year involving the dor, we found data used was in some case used to attempt our return. Our strengthen fraud filters stopped a significant number of questionable tax returns by filers who accessed the dot. We are working to determine whether any of those returns are in fact fraudulent. Our analysis of the suspicious activities involving the drt found of 1,000 individuals may have had their taxpayers information compromised. We have indication that a large number of these taxpayers are of a likelihood did not have any information compromised. We have mailed letters to all taxpayers. They can take steps to secure their data. We also offer them free credit monitoring. Along with notifying taxpayers, the arrest is marking accounts and providing information against theft. We recognize that many families trying to apply for student aid have been inconvenient. While we work to improve security for the tool in the interim. Families can still complete the application for students Financial Aid by mainly providing the request information from copies of return. We realize this is not convenient. We have the responsibility to ensure our d. O. T. And all of our online tools are protected. Chairman russell. Members of this committee, that concludes my statement, i will be happy to take your question. Thank you, the chair now recognizes mr. Camus for five minutes. Thank you for the opportunity to testify. The process of 242 million tax returns and collects over 3 trillion in revenue. In addition to the significant amount of money that flows through the irs each year, t taxpayers information is valuable to identity thievethie. The irs is a target of cyber crimes overall over the world. Over the past four years no numerous of investigations have been conducted. May 2015, criminal launched a coordinated attack that was estimated to impact 10,010,010, taxpayers. January 2016, the irs e file pin is exploited. On january 25th, 2017, the irs noticed unusual activity on the fast data retrieval tool. The irs reported this observation to the department of education. The department of Education Advised the irs that they believe the activity was legitimate activity. Then on february 27th, 2017, it was determined that the data retrieval tool was in fact being used in order to steal taxpayers and adjusting gross income or agi information. Taxpaye taxpayers information agi information is extremely valuable to thieves. Due to this activity, the irs made the decision to take the data retrieval tool offline. It is estimated at this time that as many as 100,000 taxpayers they have had their agi information stolen through this exploitation. Through the benefit of hindsight hindsight, all of these incidents that i discussed, it has had difficulty in identifying prop levels of risks associated with various applications. Thats because the struggle with determining the risk then necessary authetication requirements. We share what we learn with the irs in order to help ensure of the application. One thing is crystal clear, there is a determine criminal element paying close attention to electronic information. I believe these criminals continue to present challenges. In summary, we take this seriously, our mandate to protect american taxpayers and the integrity of the irs. As such, we plan to provide continuing and investigating of audit coverage. We look forward to continue discussions on ways we can fight these types of cyber crime in the future. Mr. Chair ranking and member cummings, thank you for the t t opportunity to share this view and i look forward to answer your questions. Thank you, the chairman will recognize themselves for five minutes. Miss garza, as i look at this situation and you certainly have a lot of experience both in the ci arena or Public Service, we do appreciate that. A lot of times, Public Service is taken for granted. With your experience, it is not taken lightly. Still as we examine this issue, we are trying to get to whos responsible for making the Operational Security decisions for the data retrieval tool. As i said in my opening testimony, we are all responsible for ensuring Cyber Security is our top priority. As a group, we look at every risk assessment. We evaluate the situation and we make the decision as to what level of risks we are willing to take with the application that we are talking about over the last year since transfers will be much more conservative. We evaluate the situation, we discuss it and we determine what actions we need to take. In your testimony, you mentioned this was unique because unlike attempts or texts on the irs or Different Departments within the irs, this involves a Different Department so you had one into the pipe and the other into the pipe. When you learned in september 2016 that it was possible to little stolen information for hackers to pose as students and access of the dot tool or data tool, why did you not move immediately to secure the tool . There is a couple of actions that we took at that time. First of all, there was no data loss at the time. We had no evidence of fraud at the time. Well, there was no evidence of fraud but that does not mean that there was not. You had a clear indication that something was not right, yes or no . We looked at the ant lalytic and all data that we had available to us at the time. We did fot see anything suspicious. We contact the department of education and both cyber organizations, started to work to look at the data and the data did not reveal that there was any kind of penetration going on at that time. Well, and i guess here is the information that i am speaking at specifically. The isolated case, did it not result in the indictment from september 13th . It was a single case and they did not get the data. Well, i guess let me follow on this name. What i hear from each of the panel saying no data breach and no problem. I hear mr. Camus saying hundreds of thousands and mr. Gray, what extent do you think the department is responsible for securing the data and based applications. 100 , we are responsible for securing our data. Okay, but yet we can see what the department of ed is saying hey, give us a tool or have the irs saying here is the tool. You got data coming out on one end and securing on the other, there is a league and yet it took you how many months from september to february to even recognize and say no we thought it was legitimate for september but now we think we may have a problem, thats a big period of breach it was perceived and there is a potential vulnerability in september and october. The two department worked together to create as solution thatll prevent that vulnerab vulnerability being exploited. We took the appropriate action to bring it offline. Yet, it was not shut down when you had indication in the start of the new Financial Aid season. What i like to do is you said there were no evidence of info. To access but where fraudulent returning file with regards to this data. We analyze the Social Security number and ip addresses and we did an exhausted examination looking at indicators of risks and we turn the information to the irs so they can complete some of their analysis. In september as i mentioned earlier in my comments, we at that point probably had file 50 million applications using drt. We file a substantial amount of information using drt going back to 7 years of 2010. It is quite possible and as we have said that criminals and the fraudulent activities, theyre innovative so things changed. Over that period of time, there was any documented material criminal activities of drt. When it was found, it was confirmed and shut down. There was a history there that one we relied on and even though we continue to monitor it and we balance of the risk of shutting off the tool. There is always a risk of protecting taxpayers and i want to be respectful of the time here. Before i turn it over to Ranking Members, what it appears is that we are not identifying that we had a breach and it made us vulnerable. With that, well come back to some of that at a later time. I would like to recognize Ranking Member, mr. Cummings. Thank you very much mr. Chairman. Mr. Ramsey this september of the report, the federal aid website and taking advantage of students. The idea, explaining the attack that were used to commit possible fraud. First, companies would obtain the credential students use to access the account. Are you aware of that report . Yes, i am. It will be difficult for borrowers to be contacted by the own loan services. Even though the borrower in some cases will not qualify for these programs. Mr. Ramsey, when you read this report, were you troubled by these companies that did this to the students . Ranking member, cummings, yes, i think we were all troubled and we continue to work with the ig. We have a potential solution or mitiga mitigating action that we are going to take later this month. We understand what the issue is. As you mentioned earlier, there is the technicality of someone who potentially signs up for these services so whether it is through a power of attorney and other agreement, there is sort of that technical issue that we have to deal with. The so the ig reported that could not prosecute these based on technicalities. For example, many of these companies required signs those power of attorney then use the power of attorney to properly access the student accounts. Yes, i absolutely agree. One o f the approaches that we take is go ahead and use their education. Ultimately, all of these Services Provided can be done free but again too aggressive Marketing Tactics and so forth. It is quite possible there are a number of people who are not aware that they can get these Services Done free. Well focus on user education and in addition, we are going to make sure that there is information out there that dig can leverage in terms of going after some of bad actors out there and thats what i reference a little earlier without being specific. What other actions have been taken so that Going Forward these Student Loan Companies will be held accountable for these abusive activities. Something about this just tears in my heart because i see so many. I have sat on the board of college and i see young people having to drop out of school because they dont have money and theyre struggling and they just want to go out there and not only do they have to fight equal and we are supposed to be helping them. But, then they got and lose the opportunity and they dont lose it maybe for a week or a day. They lose it for a lifetime. Thats why i am so concerned about this and what assistance can congress provides to help Student Loans more accountable . What can we do . Do you need some help . Yeah, i mean, you know, well i have some thoughts. Give us your thoughts. We have a duty. Once we find out of what we can do, we need to try to figure it out. We got to know what they are. There is the technicality and transfer authorities of giving away your passwords and information so others can provide services. If there is some legislative process to address that, i would be an advocate about it. You got to balance that potentially of a population and i know it would be a segment of the people being contacted who may actually need some guidance whether it is loan consolidation or other values within the federal student aid system, there maybe some small amount and we would have to sort of think about the impact that may need some level of assistance. Again, i think the bigger problem which you indicated that there is a potential for people to be put in a situation where theyre harm for a long period of time because they are not educated by some of the options out there to do it themselves. Would you think of legislation regarding the going away with the power of attorney requirement would be appropriate . I think it would be something that we should consider, again, we would have to do some analysis and it can be surveys or whatever. Like i said there is potentially a group of some of the most needy who may need some assistance and i cannot calibrate that right now. I think as you said the bigger problem is there is a lot of them that are not aware that they dont need to pay for these services and being exploited. Chairman, i would hope that we would pursue this further. I think it would be legislative malpractice for us not to protect these students. It is ridiculous that we got to do all that we can. I am sure that you will work with all of us and our panel working with us trying to make it happen. The other thing that we got to do and we cannot have just a hearing with these folks. We got to bring in these people that are messing over our young people and playing games with their lives. I look forward to working with you. I move forward. I thank the Ranking Member and i agreed that this extends beyond our students and of private data and parents and others looking forward to working on that effort. The chairman would like to recognize now the chairman from North Carolina for five minutes. Thank you, mr. Chairman, mr. Camus, i would like you to describe the following incident if you would, please. The ones started in september 2016, was that the incident involving the data retrieval tool . Was that criminal nature . Yes, it was. Did it result in an indictment . Yes, it did. There was also one identified of november of 2016. The third one is one in january 26, 2016 of a high taxpayers were identified as processed on the part that raised red flags. Did this result in a notification to congress . No, it did not. Miss garza, given the three incidents that was described of the predated Major Incident that resulted in the dr tool not being taken offline on march the 3rd, why was the data retrieval tool not taken offline earlier . If you could pull the microphone earlier and speak into it there. Thank you, we took immediate action by analyzing the data that we have and we found there were no evidence of breach. Data was not loss. We started working on the department of education to strengthen the authentication process. I dont understand of the fact. It was not breached. I was just thinking my family back at home, if i got a security system, perhaps, people trying to break into that, at some point, i am going to be concerned and nothing was taken and nobody was hurt and nothing is damaged. Thats why we reached out to the department of education to have discussions of what we can taek. We saw this as action that needed to be taken immediately. We take those actions to come up with and trying to come up with a solution that could mitigate the risk. The keyword is trying to come up with a solution, i am not sure if we arrived to that. After october 2016 discovery, drt can be vulnerable. The irs increased monitoring of any suspicious activities. Could you describe what that increase monitoring looked like . Thats correct. We engaged with our friends and asked them as well as the new cyber and Analytic Team that we had in place to start looking for suspicious activities. Because of the increase monitoring that we had done that we identified suspicious activities occurring in january. There was an incident in february of this year, was that discovered by incident . We had mechanisms in place. Multi layer defense mechanism. One was of the address of record to the individual whose data have been identified and that led us to identify that we had an issue as we investigated that issue. We were able to find that in fact, there was fraud that had taken place and we immediately shut down the application. So for the record, you are saying that no, it was not discovered by accident. There was a notice that was generated to the taxpayers that had that taxpayers come in and notified us that there was something amiss. This is not only the question of taking responsibility for the irs, but, if understanding Cyber Security risk, these Online Services and applications, i certainly agree of the Ranking Member cummings. These are young people looiives stake. As they are coming out and getting started. I hope there is a sense of urgency to deal with this issue than what presently seen to do at the time. With that mr. Chairman, i yeiel back. Right now the chairman would like to recognize the young lady from five minutes. Thank you very much, good morning to all of you. The finding, this is not the first time the Student Loan Company enacted. And even more concerning, this Current Administration have withdrawn a series of policy memos thats of the Previous Administration thats put in place were student loan borrowers. What impact does this action have from student loan borrowers. Well, in terms of our focus, you know, our focus from serv e servicing perspective making sure we have the highest outcome and we put in place of a series of actions throughout the year and right now we are going through recompetition. Because we are in a procurement process, i cannot talk about specifics. But, i would reiterate that we are focused on having the highest quality product that we can from a Services Perspective and generate the best yk for student and borrowers. Are you aware of a roll back over sight accountabilities that had been instigated thats over turning some of those accountabilities that were designed to protect students in vulnerabilities. I personally not aware of any roll backs. Is there anyone on this panel of any recent actions on the part of either this administration through the white house or the department of education that will negatively impact the accountability thats not a good person or entity to work in this case . Is that a no . There is no one. No. No. Interesting. This january of the Consumer Finance protection bureau, according to law tsuit it puh ing borrowers into forbearance and accrual interests. Are you familiar with this . Yes, i am familiar with that. Student loans of more than 12 billion borrowers. Able thati believe thats ri. There is no expectations that the service will act of the interest of the consumer, is that right . I did not hear the last part. The servicer acts in the lenders interest and there is no expectations that the serv e servicer will act in the interest of the consumer. I understand in that statement, a servicer would be acting on behalf of the private. We are currently in a procurement process and i cannot make a comment on that. Of which is also in the procurement process. We a then i would expect you look at information such as this and that and we are not going to ask you again about someone lik like even though you cannot express whats happening with regards to that company right now. We look at past performance and responsibility and criteria that we have to look at in terms of the process. Well, i dont know by number, the executive order or the rule back that took place thats looking back at a companys business and reputation but i think thats something that you need to look at to see whether or not it does negatively impact the ability to ensure that the best is taken care of. Thank you, with that i yield back. Absolutely. The gentleman will yield back. Mr. Corbin for five minutes. When did the irs noticed that you had a problem. It happened on the same day. You guys talked to mr. Camus and his guys on the 27th of this year. I did not. Someone at the irs did. How many taxpayers are harmed by the hacking and the breach that took place . Approximately 100,000 people. The law requires you to notify congress when Something Like this happens, does it . I am not familiar with that. I will read it to you. This is a letter from your boz of the modernization act. This is not later than seven days after the day of the incident that you should notified commerce, right . Yes, sir. You are supposed to do it within seven days, is that accurate . Yes, sir. Thats the law. What did you Tell Congress . I believe we notified congress within that seven daytime frame. Is that true, mr. Camus . We dont have it until april 6th. I have to go back and check that congressman. Thats important, right . Thats important. Thats when he told us. Testifying in front of the senate. Yes, i have to go back and take that back and confirm that for you, sir. Well, i appreciate that. This is when Congress First learned was on april 6th that there is been an incident and here is what the statue says, it says that not later than seven days after the day of a reasonable basis of the incident that occurred. Would you describe this as a maj major . Yes, i would say same here. We are wondering why you waited so long . I dont have an answer, congressman, i will go back. We like to get that. Frankly, let me turn to mr. Camus. Is this the first time the irs waiting to Tell Congress of the information . Mister, i am not aware. I will refresh your memory, there is an incident that happened seven years and of a sustained period of time targeted taxpayers based on political believes, are you familiar with that . I am familiar with that. You did an investigation into that, did you . A couple . Yes, sir. Was the irs forward coming in that invasioestigationinvestiga . We found some mistakes and some materials that should have been turned over. I appreciate that. Let me just refresh your memory. The irs knew there was a gap in february of 2014, they did nothing to stop the disruption of backup tapes, did you remember this mr. Camus. Yes, i did. It was your discovery that discovered the back tapes, right . Yes, sir. March of 2014 a month after they knew there was a gap or emails, mr. Costa testified in april of 2014 but you know what he told congress . June 13th, 2014, is that right, mr. Camus . Thats correct. The agency has a little bit of influence on American People lives with a major reach that the law says you are supposed to Tell Congress within within week and within seven days. What did they do . They waited 38 days. To add insult to injuries, think about what congressman walker just talked about. All the suspicious activities that took place before february 27th. In fact, when mr. Costa testified and said, we are putting you on notice there is a mayor breach. Look at what he said in that testimony. He said this. April 6th, 2017, mr. Costa testified in front of finance, we started working of education in october telling them we were very concerned that the system could be utilized. Mr. Costa was unnoticed that there was problems and he used the term very concern. We had the major breach taken place, the irs tells you we got to look into this. We have all these things of suspicious activities and they dont comply with the law until congress within a week. They wait for 38 days and tell us. It is not supposed to be how it works mr. Camus. No. The irs once again treating taxpayers the way theyre not supposed to and it is why this committee has been so focused on trying to clean up the mess over there and frankly i have been focused on mr. Costa has to go and with that, i will yield back madame chair. Thank you mr. Jordan. You are recognized for five minutes. I want to thank the lovely chairwoman for the opportunity the speak. Everyone on both sides of the isle are very concerned about this issue and most of us have children and have our own Student Loans or loans that we help with the children that we care about our future as well as our constituents. I want to touch on something that i know one of my colleagues spoke about a few moments ago mr. Ramsey when they talked about the lawsuit with ambient. It is however understood that this is a lawsuit so the interest of both parties, they both have allegations raised. But, naviant does have a lower default rate than some of the other users or Loan Companies and they do have a propensity to loan to minority and under served community, is that correct . I understood that the default rate of the students who have loans with naviant is lower than some other Loan Companies. I would have to confirm that. In a lower default rate is better. I have to confirm that. I dont know the portfolio are the same. Sometimes it would be natural differences of default rates for various services. Sure, sure. One thing that it is really interesting as well mr. Ramsey when we are talking about the Inspector Generals report, the ig warren warned of the system being used by a third party, this is something that Ranking Member cummings talked about and these are things that we are keen on because these are students who are navigating a difficult system and this is sometimes the first instances that they go into their finances and making a decision thats going to have an impact. Student Loan Companies and student loan consolidators, is that correct . The third party that takes over borrowers account. Less than two weeks ago, this Committee Conducted an interview of the special agent in charged of conducting the investigation with the ig. He explained to the community that the information in these student accounts is of commercial interest of loan consolidators, right . Yes. And that word commercial interest is very key to me. He also told us the Student Loan Companies and i quote were controlling thousands of accounts of creating thousands of accounts and controlling them, mr. Ramsey, is this true . Were Student Loan Companies using information of individuals they are there to serve in a matter to control for commercial interests of those accounts . Yes, my understanding is a fee for service so to the extent that they got a thousand kinds and they are being charged for those services. It would be commercial endeavor. Do you have a list of the names of those companies who are doing that . We identified some. I dont know if we have exhaust the list of the company. Chairwoman, may i ask that we obtain the list of every student loan activities that we are involved. Mr. Ramsey, how long does it take you to provide Something Like that to the committee . I dont want to commit because i am not sure. Come on, you cannot give me an outside range time like that. A week or two weeks or a month . I would say if you give us a month, thats appreciative. Of course, you went to the outside. I dont want to negotiate. Got you, very good. Student Loan Companies aggressively pursuing accountable holders and taking advantage of this. That sounds outrageous and could you explain to me not of just aggressively pursuing but what did you mean by taking advantage of them . I dont want to speculate. To the extent of providing servic services. Those decisions may benefit them commercially. Are any of these same companies doing business of the department of education . Not that i know of. Mr. Chairwoman, we have the responsibility to help protect students of the kind of abuse and i am pleased that we are having this hearing to go through this. I believe the entire community is very keen on holding the hearing here with the next with the loan company that are engaged in these activities. I hope we can have the ig from the department of education testify what they found. Thank you very much for the information that you provided us. I hope this chairwoman were able to do that. I yield back. Thank you. First of all, i want to say, thank you for your willingness to accommodate me on the floor the other night. It was not necessary but i appreciate that and i believe under the mit tcommittee rules, have the right to ask any witness for any information and i am sure that will be followed up with the staff. Thank you very much. Thank you madame chairwoman. I apologize if i review some information that it is already discussed. Raise your hand if you responsible for fasa. Gov. Raise your hand if you are responsible for the drt rule. Let the record reflect mr. Corbin and miss garza raised their hands. We started to work with the department of ed. What did you start to do with the drt tool . We increase monitoring on that application so we can become alerted should something we see something suspicious. Were those efforts successful . In january, it was those efforts identified of suspicious activities occurring. At that time, we partnered with the department of ed to get our cyber teams together to review that suspicious activity and we were informed by the department of ed that was normal behavior. Whats that being taken now to strengthen drt . We have developed and implemented encryption solution on the irs site. We are working on the department of ed. How is encryption helping with authentication if you have a stolen individual . We looked at and providing the usability of the application, we have moved to the encryption. That does not answer the question. The question is, how does zen dozen dozen dozen dozen dozen encryption help using of stolen potentials. It does not allowed data to be revealed to other applicants. If you have stolen credentials then you are able to spoof that, you have the credential, what are you doing to prevent that from happening. There are a set of keys that gave the irs that is only shared with the department of education. As the applicant comes in and releases and tells us to release the data to the department of education, they dont have access. They dont have a key to encrypt that data. It is only the department of education once they get to their side that theyll be able to deem encrypt the data. So mr. Gray, how are you responsible for fasa. Gov. Whyes, sir. What you doing to strengthen identification if somebody have stolen krcredentials. We are looking at proactive measure. We are looking pertains that you are doing something in the future. Do you have a past tense that you can use on what you have done we followed defense indepth than we have a whole series o f actions that were taken to ensure that we protect our systems. What are those series of actions . Some of them i referenced in my Opening Statement regarding data loss representatipreventio firewall. How does that help with authentication. Users are inputting their own data to gain access to ploy fapr a student loan. I get that, it is your responsibility to confirm that the person thats entering that data is indeed the person who owns that data. I recognize it is a tough job. I recognize that what you have to do is difficult. But, you still have not explained to me, we have proven and we have seen with the theft of over 100,000 or the impact on 100,000 students that the authentication and drt tool is lacking. My concern is everybody is doing this. I want to know what are you doing and if there is not something or if you need additional authorities to improve au improve authenticaton. In terms of what we are doing, this is the balance of assessablety of t assessablety of the tool. The level of authenticaton curr is so that we can cast the net as proudly as we can to potential borrowers. The identity proofing piece comes in when we are disbursing the funds. For the drt, the challenge or what were doing is or looking at doing is, masking and encrypting the data so that if an identity thief logs in through that system, they will not see the data which would allow them to exploit this vulnerability. Madam chairwoman, i apologize for going over my time. No problem. Without objection, im going to recognize mr. Duncan for unanimous consent request. Thank you very much, madam chair. I realize youre not going to be able to get to me for questions, so i simply want to make a unanimous consent request to include in the record at this point an email from one of my constituents, melissa macko, the Financial Aid administrator at the tennessee apology of applied technology, because she has four good suggestions to help with this problem in her email. Thank you very much. Thank you, mr. Duncan. Ms. Kelly, youre recognized for five minutes. Thank you, madam chair. In recent years, hacking, Identity Theft, and cyber crimes have been on the rise. Ive been a victim myself. Federal agencies have to do their part to secure their systems. But Congress Must acknowledge the impact its own actions have had on the ability of agencies to protect their i. T. Systems. Many agencies face serious challenges in modernized outdated legacy i. T. Systems and implementing stronger Cyber Security measures under the severe budget cuts that have been controlled by republicancontrolled congresses. One of the agencies hit hardest by these cuts is the irs. In may 2016, the irs then chief Information OfficerTerrence Mulholland testified, and i quote, the irs Budget System is the most critical challenge facing i. T. Modernization. Mr. Corbin, ms. Garza, what are the impacts of budget cuts on the ability of the irs to modernize and secure i. T. Systems . Are we putting taxpayers at greater risk . Congresswoman, one of the Things Congress did do for us last year was appropriate the additional 290 million. We did take a portion of that funding to help us get the tools that ms. Garza had described to help us identify and monitor our systems more closely. We also continue to invest in the return review program or rrp. And so that allows us to create rules and filters so that as returns come in, were able to evaluate those returns and then for potential fraud and identify theft, stop those returns before theyre actually paid out. So i think its on i want to thank the congress for the money we received, that was extremely beneficial. That loallowed us to put new technologies in place. We were able to address the system a lot quicker than weve been able to in the past because of the monitoring capability and the data and analytics capabilities we implemented using those resources. And would you say more is needed . We would always be thankful for any Additional Resources and continued support in this area. To make us more secure. Yes. Okay. It is not just i. T. Systems that have been affected by these resource lapses. Mr. Mulholland testified last year that increased progress on modernization and Cyber Security measures, and i quote, will require significant sustained Additional Resources in the i. T. Area. Do you agree with that assessment . I would agree with mr. Mulhollands assessment of our needs. Mr. Corbin . Yes, maam, i would agree as well. Yet again congress has failed to ensure agencies have the resources needed to carry out their missions. For instance, under the irs restructuring and reform act of 1998, Congress Gave irs the authority to hire a limited number of individuals to staff critical technical and professional positions at salaried levels greater than general schedule rates. This Critical Pay Authority was intended to help the agency attract highly qualified individuals with Technical Expertise who might otherwise be available for Government Service at normal federal salary levels. The irs used this authority to fill 168 of these positions from 1998 to 2013. Does critical pay play a role in making federal government jobs more appealing to highly qualified technical individuals who may be interested in Public Service but could be earning a much higher salary in the private sector . Congresswoman, the critical streamlined Critical Pay Authority that we had was extremely beneficial to the irs. Because of that authority we were able to bring on board high level architects, engineers, and Cyber Security experts. Over the last several years, they have helped us ensure that we were doing what was needed to secure our perimeter and make sure our systems were running much better. The important component of this was the streamlined part of the critical pay. It allowed us to offer a job when we found somebody after the announcement was made and we identified somebody much quicker than the normal process would have been. Without the streamlined component, when we got back to the individual to see if they would be interested, the time elapsed was so long that they were no longer available or willing to come to work for us. So it is a critical component. But this Pay Authority expired in 2013 and has not been reauthorized. So american taxpayers lose when congress ignores its responsibilities. Congress can and should quickly pass streamlined critical pay reauthorization and act to provide adequate resource levels for Cyber Security at all agencies. Thank you. Thank you, madam chair. Thank you, ms. Kelly. Mr. Issa, youre recognized for five minutes. Thank you, madam chair. And i look forward to the reauthorization if we get the reforms that were required as of our last couple of hearings on the use of those 168 slots. But let me go on to the actual data breach. Ms. Garza, under your interpretation of a data breach, this is a data breach, right . Its a Major Incident and its a data breach; is that correct . Under the definition of data breach, it is classified as a data breach. Okay. So weve had a data breach. Let me turn it around for a moment, because both you and mr. Gray said that you had and i think mr. Runcie, all said the same thing. You had no information that personally identifiable information had been specifically compromised. Phrasi of you . Thats correct. Okay. Ill go to irs first. Ms. Garza, you were there for the kickoff of the Affordable Care act website. And as you know, in that website, if somebody looking at their information at the top of the screen simply went up there and changed the state, they might actually look at somebodys personally identifiable information. That was a vulnerability that was discovered right in there in the http line, right . Do you remember that . That was on the cms side. So i dont have any detailed specifics on that. Just for historys sake, i actually did it. And somebody did it themselves. You could simply change the state and you could end up with somebody elses identifiable information on your screen. Now, they would have said that there was no breach, as mr. Gray is sort of saying, because there was no proof anyone took that information and used it. But let me ask it another way. If you put a team of white knight hackers onto this vulnerability, could you have harvested information, in your estimation . I think the evidence is that after the fact, yes, there were people that were accessing that application for bad reasons. Okay. So mr. Gray, i want to get you on the record, under oath, with an accountable statement. If there is evidence that people did nefariously gain some information, whether they used it or not, and that a team of white knight hackers or bad people could have harvested information, dont you have to admit that this is by definition a data breach, not just a hypothetical vulnerability but a vulnerability that was recognized that caused a shutdown of this tool . Thank you for the question and the request for clarification. I would say that when i am speaking about a data breach, im speaking about the department of educations systems. And through our analysis, there was no Department Data that was compromised or viewed through this. This was a case of unlawfully obtained information that was used to go through our system to pull information from the drt. But in this case were talking about you together represent like an automobile, and youre saying that your right hand wheel didnt come off, but the left hand wheel did or could have. Ultimately, the construction of the entire product was brought to a halt as a result of a failure, right . Yes, sir. Okay. And both of you, i just want to make sure because i heard ms. Garza say it, but both of you admit that under fatara, under the reforms, as cios, you have Budget Authority and the authority necessary to shut down or to make what changes are needed to control the security and accuracy of your work, is that right . Yes, sir. Okay. So now my question to you, in the short time remaining, is although this is about education, and its about the tremendous impact on students who will have a burdensome time applying, if we are to do the next level of reforms that this committee would be required to, if weve given each of you authority, and one of you says ive got a breach and the other says i dont, how do we resolve, within the hierarchy of the executive office of the president , so to speak, how do we resolve making sure that the failure of the whole is in fact controlled by somebody . In other words, im looking at the two of you. You gave slightly different testimony. I think youve come together on testimony. But i want to know how in the future we do two things. One, make sure that somebody above you, sort of a supercio, can make sure that somebody is looking at the entire vehicle and not just a left tire and a right tire. And then secondly, where were those White Knights in this process . Where were the people who scrubbed this third parties who scrubbed this data and system trying to find those vulnerabilities . Because somebody found it and it wasnt either of your teams. Ill take an answer from either of you in the time im allowed. I dont know where those White Knights were, sir. I do know there were other entities within the government, usds, for example, that were assisting with this as well. Before the fact you dont know, but after the fact you could recreate it. Ms. Garza, youre very senior in this position, youve had a lot of experience. One, how do we bring together organizations like you that are becoming interdependent to make sure theres oversight of the entire combined authority, and two, how do we make sure there are White Knights proactively in the future and try to find these things and maybe to concurrently and constantly try to find them . Congressman, we actually do have processes in place that seniors where we do penetration testing, where we have individuals that come in and test our applications to ensure that they are not subject to white hat hackers coming in and getting away with the data. White hackers im okay with. White hats, black hats. We do have that process in place. I dont recall right now if that process was utilized on this application. It clearly should have, and perhaps we would have been able to avoid this. As far as your other question, as the irs continues to work with other agencies to provide data, it becomes more and more important that we actually have addressed the concern that you have raised. I dont have the answer for you right now, but its something we need to be thoughtful about because i think it will be happening more often. Thank you, madam chairman. The time of the gentleman has expired. I think it would be helpful to this committee and the congress as a whole to get some sense on what kind of priority you put on testing your settlements, because its pretty obvious that Something Like this should have been tested and should have been aggressively tested any time youre sharing data with another agency. So i hope the committee will follow up on that. Mr. Raskin, youre recognized for five minutes. And madam chair, thank you very much. Mr. Runcie, theres been a documented pattern of abuse with the Student Loan Companies for many years now. Lots of scams have taken place. In 2012, the ig reported that a Student Loan Company improperly accessed student borrower accounts to change the Contact Information of the borrowers in order to, quote, make it difficult for the borrowers to be contacted by their loan servicers. Why would they do that . Whats the scam . Can you explain for us how that works for them . Thank you. So theyre commercial entities, and theyre fee for service entities. So these are legitimate businesses, then, these are not internet scammers . Theyre not internet scammers, but the nature of the interaction between, you know, those entities and the students, i cant characterize that. But theyre businesses formed to provide services, whether its loan consolidation or something else. It seems and it appears that in cases where they want to have a legal of control to create a transaction or to continue through the process, they change email addresses and potentially mailing addresses and so forth to filacilitate the process theyre taking the students and borrowers too. How do they profit from it . They take over the students account . Lets make up a number, lets say they charge 100 for consolidation or more. So there is an agreement that they will consolidate the loans and create a lower payment amount or whatever the agreement is, and they will be paid for that. So did this actually take place . In one example, the ig reported in 2013, the company charged borrowers a monthly fee, i think it was 60, to put their loans in forbearance with the promise of enrolling them in the Public Service loan program which it turned out they were not qualified for. Did that actually happen with people . My understanding is there are these companies that provide these services and sometimes they put people in forbearance with the understanding that theyll ultimately go into consolidation. Those are third Party Entities involved in a transaction that doesnt include the department, you know, except for the fact that theyre using the email addresses and the resources that we have to facilitate transactions where they make money. So just to get you straight there, theres using your website essentially as the framework to access their victims, then they prey on the people, but as far as you know, they might still be in this scam relationship with the students . Yeah, weve looked at ip addresses, weve looked at some of the activity. In some cases you will actually see loan consolidations. Whether its 10 or 100 of their clients, we dont know. What weve stressed is user education to make sure people are aware that they can get these Services Done for free by leveraging resources that the department provides. I get complaints on a daily basis, pretty much, from my constituents who feel like the whole system is a scam. Youre talking about people who are in serious debt from college and some of these kind of low riding companies are able to access them, charge them more money to offer them either real or completely illusory services, right . Thats right. Okay. Who is the ombudsman and champion of americas students and College Graduates who is looking out for the scams in the irs, the department of education, at every level of government . Is there anybody . I think we play a role. The department plays a role. So for instance, i mentioned user education. The ig has noticed that this is an issue. And were doing some things with our systems to make sure that we give them an additional tool or leverage that they can use to prosecute, you know, bad entities. So, you know, we play a role in that. How many prosecutions have there been since this was revealed . I dont have that information. Have there been any prosecutions . We dont prosecute. It would have to be through the ig or some other and let me just say, i know everybody up there is working hard for the American People and has a tough job. But the overall institutional sense that i get is one of basic passivity and reactivity to events, rather than getting on top of it. Weve got millions of people who are carrying these loans. I think theres more student debt in america than theres Credit Card Debt now. Its more than 1 trillion. And obviously theres a lot of money being made there, including by people who are going out and preying on people who are already laboring under the burden of these loans. Do we need to create an on me buds pers ombudsperson, to make sure people are not getting ripped off at every step of the process . We have an ombudsman, but its not somebody that works across government, across igs, across operations. That is potentially something that could be useful, but where is that ombudsperson is located . The on me butmbudsman is loc fafsa. Did that person raise any of these issues with you about the scams being perpetrated on students through the website . No. Those scams are done by third Party Entities that are outside of our scope. So basically it was nobodys responsibility to try to identify that threat . Is that right . I mean, thats not a gotcha question. Im just trying to prevent this from happening again. There were cases of this going back four or five years now. Again, commercial entities that are marketing to students to provide the services to those students, and the students agreed to, you know, obtain those services. And the questionable nature and value of those services is not something that we police. What weve been trying to do is provide user education and let people know that, you know, they dont need to use these resources. And, you know, were working with Partner Organizations and so forth. But we dont have any control over those entities. Thank you very much for your answers. I yield back, madam chair. Thank you, mr. Raskin. Mr. Hice, youre recognized for five minutes. Thank you, madam chair. Mr. Corbin, do you have any idea how much the irs loses to fraudulent tax returns each year . No, congressman. I can bring that back for you, go back and get that information for you. Please do. Would it surprise you that in 2013 alone it was over 5 billion . Does that come as a surprise to you . It does not come as a surprise, congressman. So its no surprise that over 5 billion, lets just say thats the average a year, 5 billion a year plus or minus in fraudulent returns, and now, as has been clearly established, ballpark 100,000 taxpayers were put at risk as thieves breach the drt, do you have any idea how many fraudulent returns resulted from those 100,000 taxpayers . So congressman, what i know is that of the we have received about 111,000 returns filed under those Social Security numbers. Of those returns, 80 of them were either stopped by our filters prior to the refunds being paid, or they were the actually legitimate taxpayer. Thats good information. But that was not my question. I want to know how many fraudulent tax returns came from those 100,000. Yes, sir. We have confirmed about 29,000 returns as identify theft. Okay. And how many of those were fraudulent, was my question. Commissioner koskinen said it was about 8,000. Yes, congressman, there are 8,000 returns that were not stopped by our filters that we have not been able to that were fraudulent . That we have not been able to determine if they were fraudulent or the legitimate taxpayer. That was my question. I would appreciate it if you would answer my question rather than run around it. Do you have any idea how much money was lost due to those 8,000 fraudulent returns . I believe that is about 32 million, sir. It is about 30 million. Does the irs reimburse the fraudulent tax returns from those who are victims . So when a true taxpayer comes in and files their return, they do get the their full refund that theyre entitled to. Okay. And who pays for that . That comes out of the treasury, sir. So the taxpayers pay for it. Yes, sir. So we had 32 million out of this 100,000 people, 8,000 fraudulent returns. Is that 30 million, does that include the reimbursement for the victims . No, sir, it does not. So were talking, if we have 5 billion a year in fraudulent returns, were probably talking 10 billion that it costs the taxpayers every year after the victims are paid back, is that so of the 32, congressman, again, we have not confirmed whether that is a fraudulent return or the true tax return. Okay. Im just going by what commissioner koskinen said, and i would think he would be accurate in that information. Ms. Garza, im still scratching my head over your comments earlier that as far as youre concerned, you didnt know of any breach whatsoever. Yet its pretty well confirmed there was a breach here, you even came back around and admitted that a little while ago. It depends on the timing, sir. In september it depends on whether or not anyone broke into the system. That is what determines a breach. And it just ill tell you, i just struggle. It appears to me at the end of the day, youre either in denial of what happened or youre incompetent or youre just untruthful in whats happening here. I go back with whats been shared, the abuse thats been inflicted on american citizens by the irs is inexcusable. Its time that theres accountable and some change that takes place at the irs. This is just its so bothersome, its indescribable. Mr. Gray, let me come to you. Its my understanding the department may have the data retrieval tool operation for the purposes of income based replacement plans back up in may or june; is that correct . That is my understanding, sir. Okay. That being said, this has taken more or less three months to fix it, correct . Yes, sir. Okay. It has taken three months. Why in the world was this not addressed last fall . Unfortunately, i cant answer that question because im not involved who can answer that question . Mr. Runcie. It wasnt addressed, i think its what we said a little bit before, which was we were making a decision at the time based upon the fact that there wasnt any criminal material, criminal activity. What the commissioner said is we would continue to monitor the situation, and once there was confirmed criminal activity, we would take the system down. So so that was the focus of it. And march 3rd, when we were contacted, the system was taken down. The commissioner said that identify thieves used it to put forth false tax returns, and made it clear that there was criminal activity, and that because of such, the system was going to have to be shut down. As long as were talking out of both sides of our mouth, madam chair, i thank you for indulging me extra time. I yield back. Thank you very much, mr. Hice. Mr. Clay, you are recognized for five minutes. Thank you, madam chair. And i find it deeply concerning that the Trump Administration has started rolling back the protections that help ensure that students are not taken advantage of by a predatory loan company. Mr. Runcie, the secretary of education, devos, recently rolled back a critical protection put in place during the obama administration. This protection prohibited loan servicers from charging up to 16 in interest on overdue Student Loans if borrowers entered a loan Rehabilitation Program within 60 days of default. Mr. Runcie, why did she rescind that protective order . Im not aware there was a policy memo that was rescinded, is that what youre referring to, representative clay . Yes. So we again, were in the process of going through a competition for servicers. And the focus of that competition is to make sure that we have the best contract in place thats focused on high quality outcomes for students and borrowers. Thats what were focused on. There hasnt been anything communicated from the secretary that would change our ability to go forward and to make sure that there is a vehicle in place to make sure that we optimize outcomes for students and borrowers. Doesnt that action place the financial interests of the Loan Companies over the interests of our students . Thats not what were doing. Thats not whats been community to us. Does it signal to Loan Companies that they can return to the predatory practices they engaged in before that take advantage of students . I mean, look. You and i know that People Struggle to pay these Student Loans. So they came up with a way to give them some kind of relief. And now were going to throw that out . Look, i share your focus on making sure that we have the best circumstances for borrowers and students. And, you know, if you look at income payment plans, which was a tool put in place to make it easier for students to manage their obligations and their debt, that has risen substantially. Our servicers in the departments make sure they get into plans that allow them to maintain and manage their debt. Lets talk about those plans. Just last month the secretary withdrew another critical Consumer Protection afforded to student borrowers. Under the secretarys order, contracts for Debt Collection will no longer be based on a loan companys history of helping borrowers, but can, again, be based on a companys ability to collect debt. Can you explain why this change was made . Actually the evaluation, and again, were in procurement mode, so there are certain things i cant talk about, but the actual evaluation does include looking at past performance and responsibility as well as operational performance. So it is the process is more than just looking at the ability to recover. Yeah, but doesnt that go back to allowing these companies to prey on borrowers, i mean, and make that the standard operating procedure, that at all costs, collect the debt . I cant speculate on that, sir. And look, there have been troubling reports recently that the department is reversing previous determinations that student loan borrowers qualified for a Loan Forgiveness Program to encourage Public Service. Borrowers may have relied for years on these determinations to plan their indications, their careers, and their lives. And this program started in 2007. Under this program, borrowers can have their fell Student Loans forgiven after making ten years worth of payments if they serve in fulltime in Public Service jobs. Is that im aware of the issue. And my understanding is that there is potentially some litigation around that. But, you know, the Public Service loan forgiveness is a vehicle thats out there, if you make payments for ten years on time, you could be forgiven the remainder of that. That program is in place and we operationalize it. Are you intending on changing it . Im not aware that theres any intention to change it. You know, thats an overall departmental perspective. It all comes down to, lets scam these students, lets scam these borrowers, and lets take care of the servicers. And i think you should be ashamed of yourselves. What i can say, and i can say this personally, theres a dedicated staff at the department thats been there quite some time. Our focus is not to facilitate or aid and abet any situation that compromises students and borrowers. Were committed to making sure they have the resources to be successful. We know its a difficult, its a huge portfolio. My intention is the same as your intention, to make sure we dont have a structure that compromises any god help the borrowers. The gentlemans time has expired. The Ranking Member is recognized for unanimous consent request. Thank you very much, madam chairwoman. I submit for the record a letter dated may 1st, 2017, to the honorable kathleen tye, requesting certain documents with regard to this hearing. Without objection. The chair will recognize herself for five minutes. I have to say that i agree with my colleague from georgia who was here a few minutes ago, that this situation of none of you all or people in your agencies being willing to take responsibility for whats happened. Either youre in denial or incompetent. I think the American People watching this are feeling the same way. Im troubled by my colleagues wanting to distract from the incompetence of the fsa and the irs on display here today. I want us to go after any bad actors outside the system. But our number one priority is to protect the American People. And everybody who works in this country is affected by the irs. So yes, we want to protect students from any unsavory characters. But all americans are affected by the irs if they file their taxes, and most of them do. Thank goodness we have a system and most people voluntarily do what theyre supposed to do. So we the problem we have with our Government Agencies is theres no accountability for any of you individually. And that is a shame, a real shame on this country, that you all can ignore the continued incompetence and not be held responsible. I do have some questions. The department has taken some steps, mr. Gray, mr. Runcie, to mitigate the burdens on students families and institutions, called by the drt suspension. But im concerned about the potential fraud the flexibilities youve put in place may cause. How is the department ensuring that no new doorways to fraud are opened in this process . And i would like specifics, please. Well, in terms of and thank you, chairman foxx chairwoman foxx. In terms of specifics, you know, as you know, the verification, the back end verification is something that weve used along with, you know, the schools. So we do regression analysis and we come up with a formula that indicates a level of risk. And so what weve done in terms of giving flexibility is we would reduce the lowest risk element based upon regression analysis so that even if we lessened the verification burden, it would be on a risk mitigated basis. So we would only eliminate the lowest risk applicants, potentially. So the other part is that were going to do this for a limited period of time, right, because were going to get the tool back up october 1st. And so for all the fafsa cycling goi cycles Going Forward, it wont be an issue. It will be a way to balance the burden to schools and the risk to taxpayers. Mr. Gray, do you have anything to add to that . Yes, maam. I would say there are also technical controls that were looking at putting in place. And i would be happy to give a more in depth details about those controls specifically. But i would not want to reveal Sensitive Information right here. I understand. So mr. Runcie, i touched on this a minute ago, that youre trying to get the system back up for the 2018 fafsa filing period. Recognizing the balance between security and access, can you make the commitment to ensure theres no opportunity for the drt to be misused again when it is once again operational . And im going to ask each one of you, answer that question yes or no. Mr. Runcie . Yes, because thats all i need to know. Mr. Gray . Yes, maam. Ms. Garza . Im not sure. Youre not sure . Mr. Corbin. Im also unsure. Mr. Camus. Well be watching closely. I think youve given the American People great confidence today from the irs when you tell us you cannot secure the systems. Mr. Runcie, i want to come back to you. Ive been hearing troubling reports regarding the collection of defaulted Student Loans. Weve been hearing a lot about that here this morning. Currently struggling borrowers in default are without the Critical Services needed to rehabilitate their loans or access other benefits designed to lessen the impact of default. This is the responsibility of the department. Can i get a commitment from you and the department to provide my staff with critical information needed to assess the current loan default situation . Absolutely. And when . Two weeks. And when . When will we know what the critical information is . When will you get that to us . So we can define what the critical information is within two weeks. And we can get you the information within a month. So well have that to you within a month. Thank you for telling us that. We will hold you to it. Thank you. Mr. Connolly, youre recognized for five minutes. I thank the chair. I just want to say, the breach at the department of education is something weve been warning about in this committee for quite some time. The department of education holds data on 139 million individuals. And i would echo what our colleague from ohio, mr. Jordan, said. The department of education may very well be in breach of law. And were going to explore that. However, i know what happened to mr. Scott . I was just going to yield to mr. Scott. He had to go. All right. Sorry. Then ill pursue. Mr. Gray, are you familiar with fsma . Yes, i am. And what does fsma require you to do at the department of educati education . Protect our information assets for the department. Well, thats not all it does. Doesnt it have a reporting requirement with respect to the legislative branch . Yes, sir, it does. Within seven days of an incident. And did the department of education comply with that sevenday reporting requirement . Sir, through our analysis of nearly 89,000 Social Security numbers, we did not identify that Department Data was compromised in this situation. This was a situation where unlawfully obtained information was used to go through our system to access information through the drt, which is why we did report it to u. S. Cert. When it was identified that the compromise was through the drt, that is when we did not report this as a Major Incident, because our information, the information that the department holds, was not compromised. And is that still your position . Yes, sir. So from your point of view, fsma has not been triggered . A major breach of Department Information was not compromised. Is that the language of the law . That a major breach has to be compromised . That is to say, a major breach has to lead to the compromise of data . No, sir. When the irs reported this and we were notified on march 3rd, it was identified as a the irs system. It was not a department of education system. We did thorough analysis of all of our all of our system through fafsa, and nothing indicated to my knowledge that any of our information was compromised. Mr. Camus, is that your view . We have yet to determine the timeliness of the reporting of the incident, sir. No, thats not my question. My question is do you concur with mr. Gray that there was no breach of data, compromise of data . We would view it as once somebody was able to see somebody elses data, that that in fact has been a breach. So i would too. And therefore i would argue fsma is triggered. Would you agree . Yes, sir. Well, mr. Gray, it sure does sound like youre splitting hairs. And youre coming up with a criterion that was not envisioned in the law itself, nor is it reflected in the language of the law itself. I mean, we dont have traffic laws that allow you to decide, well, i didnt hurt anyone, yeah, i was speeding but i didnt hurt anyone so therefore i shouldnt get a ticket. I mean, the law is there to make sure the legislative branch is informed in a timely fashion when this kind of activity occurs. And the reason isnt so that were keeping score. Its to make sure were doing what we cannon o on our part to protect citizens. It seems to me it was incumbent on the department of education to inform us in a timely fashion. In fact i would argue if i were managing the department of education, the better part of wisdom would dictate that i inform them even if i didnt believe fsma was triggered. The fact that months could go by, as mr. Camus just said, a breach is a breach, once its breached, you have to assume that data is compromised, if not today, tomorrow, because it can be. And i just dont find your explanation very credible. And i frankly think its a disservice to the you know, the people whose data you possess. And its an end run with respect to the legislative branch. And i think its in violation of the law. I know were going to pursue that more, but i dont think thats something that puts the department of education in any kind of good light. My time is up. And im sorry i missed mr. Scott. I was going to defer to him. I thought i was being asked to. Thank you, madam chair. Thank you, mr. Connolly. And thank you for honing in on the issue of the day and looking for what remedies we might have under the law. Mr. Meadows, youre recognized. Thank you, madam chairman. Were going to follow up, mr. Gray, right now. Because i can tell you that mr. Connolly is spot on. And this is not your first rodeo. You know, we have had these other issues before with regards to privacy. And is it your sworn testimony today that this did not actually require a notification of congress . No, sir. My understanding is that the irs had reported the incident and that it was a breach. But the department of education, my understanding, when i was notified on march the 3rd, that the notification had already happened. I have learned in this hearing that it did not happen. Well, how can the American People, actually people who share private information with you, who expect it to be protected, have confidence when youre here today and you dont even know the full story that youre finding it out in a hearing, when you knew we were going to be looking at this . How can you find a hacker who truly wants to come in and do harm, and you cant even be prepared for sworn testimony today on questions that i presume that you knew we were going to ask . I understand, sir. The where is the outrage . Where is the outrage, mr. Gray . Are you not outraged . I absolutely am. Why didnt you notify congress . My understanding was this was not you realize that was did you have your counsel that said you dont have to notify us . Who did you check with who said you dont need to notify congress . We went through our Incident Response process who did an assessment. Why did you refer something to an outside agency before you notified your own ig within your department . Our ig was notified right after we but according to my documents, you actually notified u. S. Cert first. According to your testimony. Why would you do that and wait to get the ig involved . Because when we notified u. S. Cert is to let them know what had occurred. At the time we were not sure what had happened. So you notify the ig, it was important enough to notify the ig but it was not important enough to notify congress . Hindsight, sir, yes, it was important enough to notify congress. At what point, at what point are we going to get this right . Because we continue to have breaches, mr. Connolly and i have had a number of hearings where weve raised this as a concern, and yet what happens is, were always coming in after the fact to look at this. Do you not see a problem with that . I do see a problem with that. Well, where we going to get it fixed . Sir, we receive on average more than 1. 5 million intrusion attempts every single month at the department. And what my team does is we assess, to determine whether or not something happened, nothing happened. And logistically, i know in this case its easy to look and say, okay, this should have been reported, i understand that. So youre saying its a matter of logistics on why you didnt report it . Because thats different than what you said earlier. Earlier you said you didnt think you had to report it. Based on the analysis that my team did, our information, our information, the information that i am so how confident are you that there was only 89,000 people that were affected . Based on the log analysis that was done at the department, very confident. A ten . Yes, sir. So if we find out there was more than that, are you willing to resign . If i dont know the information, no, sir. I mean you said youre confident at a level of ten. So i guess i would stake my representati reputation on that, if youre confident at a ten. If theres more than that, because the irs knows that sometimes we found out theres actually more people that were affected than was originally thought. So if youre confident at a ten, are you willing to stake your job on it . Sir, the challenge here sir, i am representing people back home in North Carolina, as every member here is. You know what . They fail to realize that you cant protect Sensitive Information that they give you and they dont understand that. I dont understand it. At what point are we going to have a confidence when people share their information with the government, that it is not subject to being shared with another party . Isnt that what your job is all about as cio . Yes, sir. All right. The next time, you are going to inform congress when there may be a doubt . Will you inform us within the seven days . Absolutely. All right. Ms. Garza, last question to you. Why didnt you inform us . Congressman, we briefed the staff shortly after we brought down you didnt brief our staff. Why didnt you inform congress . Thats the question of the day. Because according to your tigta, its 100,000. It certainly meets that threshold. Why wouldnt you inform us . Congressman, we did inform the congress that this was a data breach. The reason why it took as long as it did is because we were going through, analyzing the information. The initial population was much smaller than 100,000 that we thought were impacted. We also needed to coordinate with the department of education to determine whether this but didnt you find it just based on dumb luck . It was actually just one of your irs employees that actually got a transcript request and they said, hey, something doesnt smell right here . Congressman, we have multiple players of thats not the question. Wasnt it dumb luck that you happened to find this . No. So it wasnt an irs employee that happened to get a transcript . Be careful, youre under sworn testimony here. It was an irs employee. He received a notification as part of one of our Defense Mechanisms that his account had been accessed. So it was an irs employee who happened to have his stuff that was notified, and he said, hold on, we got a problem here . Do you not see that that is almost laughable . One of our mechanisms to determine whether something has gone wrong is a notification to the taxpayer. Our systems automatically send out a notification. So you purposely embed irs employees in all this so that they might get a permanent notification so they can highlight this . Come on. I yield back. [ inaudible ] thank you, madam chair. I thank the panel. Ten years ago i was proud to lead the effort here in the house, and we teamed up with senator kennedy on the senate side to create the Public ServiceLoan Forgiveness Program. And weve paid close attention to that over the last ten years, working with the u. S. Department of education along the way to create online resources to help borrowers understand whether theyre going to qualify for this program which includes reduced Monthly Payments as well as ultimate forgiveness of their outstanding principal, if they commit ten years to Public Service. That includes the need to be assured that the employment you have, the particular employer youre working for, qualifies under that Public Service category, and that you can count the time spent with that employer towards your ten years, and ultimately earn the forgiveness. Congressman clay alluded a moment ago to the fact that there is some troubling position that the u. S. Department of education has been taking over the last 18 months with respect to certain categories of employers. They are now telling borrowers who relied on an assurance that that employer would qualify, being told now that it wont, and there is some litigation around that. Mr. Runcie, as you indicated, we need to get to the bottom of that. Because there are borrowers that have relied on assurances that have come from the department, and they need to be able to count on that, otherwise the rug is being pulled out from under them. I know that the that some of us here have been trying to get a briefing from the department over the last few weeks. That has not yet happened. Could you commit to us today that the department will be willing to brief us on this issue and whats happening with that . So interjust juits not just. We obviously operationalize it and put the resources out there so people can avail themselves of Public Service loan forgiveness. But i think that briefing would include other entities such as ogc and policy, some other folks. Thats fine. Can you help us arrange to get that briefing done and get it done quickly so we know whats happening with this, and then we can take appropriate steps in our oversight capacity . Absolutely. It is an important issue and i think were real focused on it. So i will absolutely commit to working with my colleagues to see let me stay focused on Public Service loan forgiveness piece and loan driven repayment. When you talk about the universe of borrowers out there that are impacted by the breach that were talking about today, using this data retrieval tool, you have the part of that universe that are folks that are, you know, involved with standard repayment. And then you have those who are in a loan driven repayment situation based one program or the other. That includes Public Service loan forgiveness. And they have to be handled differently, because theyre impacted differently. Youve indicated that with respect to the standard repayment world, that youre going to try to get this tool back in service by the beginning of the next year. So october is the goal, but with respect to loan driven repayment, youre trying to get that back up by may. So can you tell us how confident you are . It is may for you. How confident are you that that is going to be available to folks that are benefiting if loan driven repayment arrangements . Is that going to happen . Yeah, were very confident, as the irs mentioned, theyve completed the encryption part. And we have a time line that gets us to a place where its up and running by the end of this month. We know its only another few weeks, but we can commit to that. I appreciate that. Can you also let me know, i know one of the republican disor sort of stopgap remedies a, when someone is in this situation, perhaps not being able to access a tool in a timely fashion for forbearance for two months, three months, what have you, that can work okay for the standard repayment folks because theres really no downside to losing a couple of months in terms of your repayment. But if time is of the essence in the sense that youre accruesing time towards this tenyear repayment period, then forbearance is not necessarily going to be a great solution for people in the loan driven repayment category. Is that something that the department has considered and is there a way to provide a remedy there that doesnt complicate the lives of these folks that are in a particular program like that . Yeah, ill make sure that we are i know were considering a lot of different issuing around it. And i believe thats one. But well certainly make sure that were focused on that. Because i do understand the issue around that. Okay. I yield back. Thank you. I wanted to add one thing. Were pretty firm on the end of may, unless potentially some requirements change. But i think were committed to the end of may, for the tool being back up for the income driven repayment plans. Thank you, mr. Sarbanes. Thank you, mr. Runcie. Mr. Mitchell, you are recognized. Thank you, madam chair. I join your dismay that rather than discuss the data breach, the impact it has on the ability of students to get assistance, how we deal with the data breach Going Forward, that some wish to talk about issues that were now going to investigate as well, which is potential bad actors. To obfuscate what the Current Issue is, which is the irs and the department of eds ability to have this tool work and not be breached but rather to talk about other issues. We only have so much time here, we only have so many things we do simultaneously. Lets talk about the issue on the table. I guess i shouldnt be surprised. Mr. Connolly, youve im sorry, mr. Gray, youve seen the wizard of oz, right . Yes, sir. Did you see the part where they talk to the scarecrow and ask him where the yellow brick road is, do you remember that part . Yes, representative. And the scarecrow goes like this, do you remember that part . Yes, sir. In my opinion, frankly, sir, thats exactly what youre doing when you talk about, the data breach happened at the irs and we didnt think it was us, we didnt need to worry about notification. You know, when youve got something as sensitive as personal information for the number of students that you have, the moment in time you think your data has been breached, you have a moral if not legal responsibility to notify congress. Thats a lot of information. And it wasnt done. Its not the first time it wasnt done. And i dont understand that. And i dont know how it is we get across to the department that thats their responsibility by law, if not morally. Whats it take to get someone to understand it over there . Can you explain it to me . I have committed that i will do that, sir. Me . I have committed that i will do that, sir. I ran a private group that had 6,000 students a year, close to 7,000 students a year, for six and a half years as ceo. Ms. Garza, the ceo reported to me for a reason. Dune the deal i had if we got hacked . And we didnt have as many hacks as the department of ed. Do you want to guess what the deal was if we got hacked . You held the cio accountable . The cios resignation was on my desk. Thats how sensitive that information was. But i am serious. Im absolutely serious. Ill give you his phone number, you can call him. His resignation was on my desk. His cell phone got buzzed any time there were certain sets of activities, whatever hour of the night. Who in your staff gets called in the middle of the night or gets a buzz if, in fact, data goes out of whack . Anybody . The sisso is the first one who gets a call and depending on the type of breach, she will call me. Ive heard repeatedly budget concerns, budget concerns. That comes from the private sector and im absolutely amazed. The first time a problem comes up, Everyone Wants to whip out the taxpayers checkbook, because hey, just spend more money. From the world i come from, we first identify the problem and what it takes to solve it, not just throw money at it. So answer a question for me. By the way, we all know how many people had their data hacked, false tax returns. I had it happen to me. My youngest son is dealing with it right now, this year. How much money do you need to tell this group, to Tell Congress, that you can secure the system . Exactly how much do you need in your budget that youll put your letter of resignation there if you get hacked . How much money . I dont know how much money it would take. You ask for more money all the time. We ask for Additional Resources to continue to fortify our systems. Every year, every year. Thats correct. I asked you a question. How much money do you need in your budget for data pro section that youll put that if you get hacked, youll go home. I dont have that dollar amount in my mind. What i do know is that criminal enterprises are constantly changing in their tactics. I understand. So to make a statement that we can guarantee a system is secure, quite frankly, is a little bit folly. We are doing everything that we can to make sure that our systems are secure. We have not had a breach of our internal systems, although we have had data loss. So to try to come up with a dollar amount that would guarantee that something will not occur, i think, at that time i would think were probably not going to end up being secure. My time is expiring. I appreciate your patience. Anywhere else in the world in the private sector at least somebody says we really screwed up here. They take accountability for it. My Technology Staff took it personally when someone tried when we had people trying to hack how we secured it. It was the game. It was their life. The fact that folks can sit here and say well, stuff happens. But when youre talking about peoples information to the department of education or irs, its not just stuff happens, its their life. Its their tax return. Its their personal information used to get credit elsewhere. This is not minor stuff, and i dont see the perspective of concern that, well, well do the best we can. If its wrong, we may notify or not notify. We may not think its our problem because its the irs problem. Again, they went that away. Someone needs to be accountable and ill join mr. Connolly and others because we cant have this kind of data leaking out, people taking it and using it for adverse purposes. You should be ashamed. I yield back. Thank you. The gentlemans time has expired. Ms. Maloney, youre recognized for five minutes. Thank you, lady chair. We need to do everything we can to prevent Cyber Attacks from occurring but when they do occur, its critical that we take it seriously, as the gentleman said, and also that we learn from them. In 2015 criminal elements attacked the irs and its get transcript application, the tool that allows taxpayers to obtain copies of prior tax returns using a collection of personal informati information. Organized criminal syndicate obtained tax data for a staggering 300,000 individuals. Is that correct, mr. Corbin . That is correct. Since then the irs has been working diligently to increase the security of its systems. In january 2016, as a result of Cyber Security improvements, the irs stopped an attempt to acquire the efiling pin number of taxpayers. Mr. Corbin and mrs. Garza, is that correct and can you describe what the improvements were that enabled you to stop this other attempt . Congresswomen, forget tran transcrip transcripts. We took that application down and did an assessment level of risk and we put in place what we call secure access authentication. It is a higher level of authentication that requires i. D. Proofing, financial verification, and then an Activation Code in order to be able to get access to your transcript. We continue to take the dollars that were provided by congress, the 290 million to invest in additional cyber tools that allowed us in this case to be able to detect when there was activity occurring on tools that we have that are outside the irs netwo network. We looked at that and again identified that that would be a vulnerability. The efile pin application is not back up. We eliminated the efile pin application and now require agi or the selfselect pin which taxpayers have. After the 2015 incident, you did a reassessment of all of your online applications, including the data retrieval tool. As you stated in your testimony, that assessment, and im quoting from your testimony, indicated the need for strengthened procedures and led to collaboration with the board of education to best implement those procedures. Is that correct . That is correct. Now i want to turn to the 2017 data retrieval tool incident where criminals were able to use personal information gathered elsewhere to create student aid accounts on the department of educations websites and obtain individuals sensitive Tax Information. So mr. Corbin and mrs. Garza, is it right to say that much like in 2015 individuals were seeking the information necessary to file fraudulent returns . Thats correct. Yet, this time individuals were much less successful in obtaining the returns, and according would you like to comment on that . No, congresswomen. Go ahead. According to gao, Identity Theft at the irs has decreased in recent years because the irs has improved its ability to detect fraud before processing a return. This approval detection ability is illustrated by the fact that automatic security filters were able to stop almost 65 of potentially fraudulent refund from being issued in the data retrieval tool incident. Is that correct . That is correct. So we cant stop all Cyber Attacks. Thats just the reality of today. But we can learn from them. So i think youve shown your ability to do that. You know, when you file why would somebody want to file a fraudulent return . What was the purpose of it . Congresswomen, most people file fraudulent returns with the hopes of obtaining a refund whoa. From that return. And are they successful . Congresswoman, fraudsteres are successful but we have gotten so much better over the years. The irs has a Public Private partnership called the Security Summit where we work to protect the tax ecosystem, working with state departments of revenue, with Software Developers so that we can build better systems to help protect the tax ecosystem. As you stated in this case with the data retrooieve tool, we ar information that we are using in our filters. It did allow us to stop 80 of the returns that were filed in this event that were either potentially fraudulent or before the refund were able to be paid. Thank you. My time has expired but i hope that we can continue to fund the i. T. Improvements that the irs requests so we can continue Going Forward and being more effective in stopping fraud and helping taxpayers. Thank you for your time today. Mr. Grossman, youre the one weve been looking for, the last one. Youre recognized for five minutes. A few questions. How long have you been the chief Information Officer at education . 11 months, sir. And since november of 2015, this committee has uncovered what are significant short comings in your security plans before you were even there, as well as corruption of the former cio. As newcomer, what concerns you the most, and what were your first actions as cio to clean this up . I had five focus areas when i came to the department. One was security. One was organizational health, policy challenges. There were numerous things that we need to improve and i will say in the last 11 months we have made significant progress at the department in terms of implementing processes, implementing policies, changing personnel. Okay. Last year, you, sir, reported 192 incidents in your department. Can you tell us what information leaked out in those 192, give us say how many files and what they covered . I would have to get that information for you, sir. I do have a list of the information, but i want to verify. Give me a broad what are the things that get out there . Typically Social Security numbers sent from one individual to another individual that werent supposed to or it wasnt encrypted . Anything beyond Social Security numbers . I want to verify, sir, but to my knowledge you cant think of an example . Not at this moment. Okay. Is this i guess well call this the ocio 14 handbook. Yes, sir. Duo you know how recently ths was updated . I have the current one you give your employees. Do you know how recent the most recent was one . Theres a draft circulated right now that has been updated. Do you know how old this is . Seven years, sir, maybe. A little over six years. Do you think thats satisfactory . No, sir. Can you give us a hard number as to when youll have something available for your employees . For ocio 14 . Correct. The concurrence process within the Department Takes an amount of time so i cant comment on that but i will say that i have a solid draft thats going through concurrence right now. Can you give us a guess . A month, four months, a year . My understanding is the process is about six months to a year to go through formal concurrence. How far are you through the process now . We started last week. We started the actual concurrence process last week. So you began something but it could be a year before we get something thats more than six years old . I will expedite it because i know its critical to the department. And critical to us and critical for the public. Can you give us some when we talk about the files for the Social Security number, can you tell us what else is in those files . I would have to look specifically at them. At this point sometimes theyre excel spread sheets that contain Social Security numbers. I would have to look to verify. Okay. Mr. Runsy, have there been breach of your not to my knowledge, no. There was, i think, about might have been four years ago there was a time where the system was open for a few minutes and there were 6,000 cases of information that was viewed that shouldnt have been viewed, but that was the only systemic breach or incident that occurred at that time. How long ago was that . It was a few years ago. Im not exactly sure. So youve had nobody breach anything for the last four or five years, do you think, three, four years well say . Well, theres been no material breached. Theres a possibility that there might have been an incident here, incident there in terms of student aid data, but none to my knowledge. Okay. They dont tell you . I would be informed if there was, and im not aware of any. Okay. I yield the remainder of my time. Thank you very much. Im ready to close. None of my colleagues on the democrat side so i will make some very brief comments. To not broach our protocol, i will not ask questions but i will let mrs. Garza, mr. Corbin and mr. Kemist know that we will be letting you know exactly how many fraudulent returns were filed as a result of the breach and when those people obtained that information. And we will want an answer in what most of us would consider reasonable time. It has been extraordinarily difficult today to get any kind of specific answer out of any of you. And i think mr. Mitchells comment about the scarecrow was entirely apt. Youre blaming each other. The American People, frankly, are tired of this kind of display of incompetence again. You all cannot answer questions or will not answer questions. Its a little difficult to know. Let me tell you something, in my world, 30 million is a lot of money, a lot of money. And you all dont seem to take it seriously at all, that as a result of your not being able to take action when a breach is made and youre not following the law to let congress know, its even more troubling to me that you take so long to do anything. Mr. Grothmans comments about a document thats very important taking seven years to update . Its pure incompetence. And i would gather i would venture to say that we might be able to get better people coming into your agencies to do the work that needs to be done regardless of the pay if they thought they could get something done. But the bureaucracies are so impossible to change. And i do want to note that both mr. Gray and mr. Runsy came to the department and all of you all too in the irs under the obama administration. Our colleagues are going to raise cane with the existing departments and make it appear as though this is the responsibility of the Current Administration. I think it needs to be made abundantly clear that you all came into these agencies under the Previous Administration and have been kept on by the Previous Administration. We will also put into the record the expanded timeline in terms of when these problems began occurring and point out where we possibly can the inaction of the people who are supposed to be working for the American People and keeping their data confidential. So i thank you all for being here today. And this hearing is dismissed