[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                      REVIEWING THE FAFSA DATA BREACH

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 3, 2017

                               __________

                           Serial No. 115-46

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                       http://oversight.house.gov
             
             
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
28-504 PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, gpo@custhelp.com.            
             
             
             
             Committee on Oversight and Government Reform

                     Jason Chaffetz, Utah, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Trey Gowdy, South Carolina           Jim Cooper, Tennessee
Blake Farenthold, Texas              Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina        Robin L. Kelly, Illinois
Thomas Massie, Kentucky              Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina         Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida                Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida              Val Butler Demings, Florida
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia                Peter Welch, Vermont
Steve Russell, Oklahoma              Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin            Mark DeSaulnier, California
Will Hurd, Texas                     John P. Sarbanes, Maryland
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan

                   Jonathan Skladany, Staff Director
                    William McKenna, General Counsel
    Katie Bailey, Government Operations Subcommittee Staff Director
     Troy Stock, Information Technology Subcommittee Staff Director
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 3, 2017......................................     1

                               WITNESSES

Mr. James W. Runcie, Chief Operating Officer, Office of Federal 
  Student Aid, U.S. Department of Education
    Oral Statement...............................................     4
    Written Statement............................................     7
Mr. Jason K. Gray, Chief Information Officer, U.S. Department of 
  Education
    Oral Statement...............................................    13
    Written Statement............................................    15
Ms. Silvana Gina Garza, Chief Information Officer, Internal 
  Revenue Service
    Oral Statement...............................................    21
The Hon. Kenneth C. Corbin, Commissioner, Wage and Investment 
  Division, Internal Revenue Service
    Oral Statement...............................................    22
    Joint Written Statement Mr. Corbin and Ms. Garza.............    24
Mr. Timothy P. Camus, Deputy Inspector General for 
  Investigations, Treasury Inspector General for Tax 
  Administration
    Oral Statement...............................................    29
    Written Statement............................................    31

                                APPENDIX

National Association of Student Financial Aid Administrators 
  Statement submitted by Mr. Russell.............................    76
National College Access Network Statement submitted by Mr. 
  Russell........................................................    82
American Council on Education Statement submitted by Mr. Russell.    85
Electronic Privacy Information Center Statement submitted by Mr. 
  Russell........................................................    87
Ms. Melissa Macko Constituent Email submitted by Mr. Duncan......    90
Response from Mr. Sessa, Acting Chief lnformation Officer, Office 
  of Federal Student Aid, U.S. Department of Education, to 
  Questions for the Record.......................................    92
Response from Mr. Gray, Chief Information Officer, U.S. 
  Department of Education, to Questions for the Record...........   102
Response from Mr. Corbin, Commissioner, Wage and Investment 
  Division, Internal Revenue Service, to Questions for the Record   104
Response from Ms. Garza, Chief lnformation Officer, Internal 
  Revenue Service, to Questions for the Record...................   107

 
                    REVIEWING THE FAFSA DATA BREACH

                              ----------                              


                         Wednesday, May 3, 2017

                   House of Representatives
               Committee on Oversight and Government Reform
                                                   Washington, D.C.
    The committee met, pursuant to call, at 9:30 a.m., in Room 
2154, Rayburn House Office Building, Hon. Steve Russell 
presiding.
    Present: Representatives Russell, Duncan, Issa, Jordan, 
Amash, Gosar, Foxx, Meadows, Ross, Walker, Blum, Hice, 
Grothman, Hurd, Palmer, Mitchell, Cummings, Maloney, Norton, 
Clay, Connolly, Kelly, Watson Coleman, Plaskett, 
Krishnamoorthi, Raskin, Welch, DeSaulnier, and Sarbanes.
    Also Present: Representative Scott.
    Mr. Russell. Good morning. The Committee on Oversight and 
Government Reform will come to order. Without objection, the 
chair is authorized to declare a recess at any time.
    The chair notes the presence of our colleague, Congressman 
Bobby Scott from Virginia, and we appreciate his interest in 
this topic and welcome your participation today, sir. I ask 
unanimous consent that Congressman Scott be allowed to fully 
participate in today's hearing. And without objection, it will 
be so ordered.
    I would also like to ask unanimous consent to enter into 
the record statements from the following organizations: The 
National Association of Student Financial Aid Administrators, 
the National College Access Network, the American Council on 
Education, and EPIC.
    Mr. Russell. Today, we are here to talk about a data breach 
involving a Department of Education website and an IRS web-
based application. Every day, literally, adversaries and 
criminals conduct an unknown number of sophisticated and 
devastating cyber attacks against our nation. To get the 
government ahead of the curve will require even more effort on 
the part of agency heads and chief information officers as we 
begin the task of modernizing old, outdated, and insecure 
Federal technologies and network architectures, but we cannot 
calibrate our defenses and buy the right security platforms 
unless we understand the threat. We must be honest and 
transparent about what risks that we face and what damage is 
being done. Ignoring the problem or underestimating the threat 
places our nation and its citizens in danger.
    Once again, we find ourselves on the Oversight Committee 
investigating a data breach. Hackers were trying to file 
fraudulent tax returns and steal refunds. To accomplish this 
crime, they turned to the Department of Education's FAFSA or 
Free Application for Federal Student Aid, .gov network and the 
data retrieval tool which was designed to try to aid in 
financial applications.
    To get the one piece of information that they desired that 
they couldn't buy in the marketplace, they came to the tool: 
specifically, taxpayers' adjusted gross income data. You need 
that AGI to authenticate your identity for the IRS and file 
your tax returns, so all hackers needed to do was go to the 
dark web, buy a cache of American taxpayer personally 
identifiable information, use that to get into the FAFSA.gov 
and the data retrieval tool, and then they had everything that 
they needed to steal taxpaying citizens' refunds.
    This is exactly the kind of hacking scheme that the Federal 
agencies must be aware of when they make their services 
available online. If sensitive data can be accessed through an 
online application, it must be secured with strong 
authentication measures and appropriately encrypted.
    We need to call these events what they are: data breaches 
and major incidents. Facing the truth is important not only 
because the incidents ultimately affect tens of thousands if 
not hundreds of thousands of American taxpayers and probably 
millions of students applying for student aid, but it also--
because without understanding the threats we face, we can't 
protect ourselves.
    It took the Internal Revenue Service almost three months to 
determine that this was a major data breach incident that 
required congressional notification FISMA requirements. And the 
Department is still not calling this a major incident, and I 
would like to find out--and I am sure my colleagues-- why. This 
is not about wordsmithing. What we call these incidents helps 
us bring the full weight of the Federal Government to bear on 
the cyber response, getting help to those that have been 
impacted and making sure the vulnerabilities are defended.
    Cybersecurity is a team sport. A leak at one end of the 
pipe or the other still creates a leak. Agencies must safeguard 
their data and make sure it goes where they intend. If we have 
other organizations, tools, or technologies hooked up to our 
networks or websites, then we are responsible. It only takes 
one vulnerability and then everyone who is connected to that 
vulnerability is at risk.
    What is so troubling about this incident is that it was 
detected through suspicious activity accidentally. The hackers 
inadvertently targeted an IRS employee. Criminals do make dumb 
mistakes. But so do agencies. I would like to think our 
detection and defense abilities are more advanced than mistakes 
of criminals relying on the dumb mistakes that they make.
    We aren't going to win this fight unless we understand the 
threats that we face, the damage that hackers and enemies are 
doing to us, and what we as a Congress can do to empower agency 
heads and CIOs to protect our networks. The first step in 
fighting back is wearing our mistakes like a badge. We should 
follow it with some grit and determination to not let it happen 
to the areas of government that have been entrusted to our 
charge.
    Mr. Russell. And with that, I would like to yield to the 
ranking member, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    No matter who may define it, this is a major incident, IRS 
or Education. I am just letting you know it is a major 
incident. You can put any kind of definition you want on it but 
I am telling you it is.
    I welcome this hearing today. This hearing is about the 
data retrieval tool, and that is a valid topic that several 
other committees are also addressing. And I, too, Mr. Chairman 
want to thank Representative Scott for joining us today. He is 
one who has addressed these issues for many, many years, and I 
thank him.
    Now, what nobody seems to be addressing is the unethical, 
abusive, and predatory actions of student loan companies. Last 
September, the inspector general issued a report finding that 
multiple student loan companies, which were supposed to be, 
supposed to be helping students were actually accessing and 
changing student logon information as part of predatory schemes 
to access their accounts, change their regular mail and email 
addresses, and even intercept correspondence. That is a major, 
major event.
    Specifically, the IG reported that the process for logging 
onto the Federal Student Aid website was, quote, ``being 
misused by commercial third parties to take over borrowers' 
accounts,'' end of quote. In one case the IG warned that a 
student loan company, and I quote, ``changed the mailing 
address, the phone number, and email address for borrowers so 
that it would be difficult for the borrowers to be contacted by 
loan servicers,'' end of quote.
    In another case, the IG found that a company charged 
borrowers monthly fees to, quote, ``put their loans into 
forbearance with the stated promise of eventually enrolling 
them in the Public Service Loan Forgiveness or some other debt 
reduction program even though the borrowers in some cases were 
not qualified for these programs,'' end of quote. This is 
major.
    The IG also found that these companies were able to, quote, 
``intercept all of the borrowers' emails, correspondence, 
including password resets via email, important email notices, 
and direct communication from FAFSA or the loan servicer,'' end 
of quote.
    Less than two weeks ago, on April 20, our committee staff 
conducted a transcribed interview with the special agent in 
charge of this investigation at the inspector general's office. 
This is what he told us. He warned that these companies, and I 
quote, ``were controlling thousands of accounts or creating 
thousands of accounts and controlling them,'' end of quote. In 
other words, the very companies that were supposed to be 
helping students were actually abusing their trust.
    These practices are reprehensible, but the IG reported that 
it could not prosecute these student loan companies because of 
technicalities. Apparently, these companies forced students to 
sign powers of attorney to get loans so the companies 
presumably could try to argue that they were authorized to 
engage in these abusive activities. Something is awfully wrong 
with that picture. It is outrageous that these companies 
effectively got away with behavior they must have known was 
wrong--no, not must have known, they knew was wrong.
    I am eager to hear from today's witnesses about 
improvements necessary to hold these student loan companies 
accountable for engaging in these deceptive and abusive 
practices.
    In addition, as we will hear today, criminals were able to 
compromise the data retrieval tool, which is used it to link 
student tax information to financial aid and student loan 
accounts online. These criminals then use this information to 
file fraudulent tax returns. It is unacceptable that students 
have to deal with the abusive practices of predatory loan 
companies, as well as the increased threats of identity theft.
    It is critical that we crackdown on these criminal elements 
and improve the security of the systems. Congress also needs to 
support these efforts. Severe budget cuts in recent years have 
made it more difficult to make critical improvements in 
information technology. President Trump's budget proposal and 
staff reduction directives would exacerbate these challenges.
    Finally, if we really, really want to protect students from 
the abuses we are addressing here today, Congress obviously 
cannot abolish the Department of Education, as some of my 
colleagues have proposed. We must support and increase our 
nation's investments in our students. As I often say, our 
children are the living messages we send to a future we will 
never see. The question is how will we send them? The question 
is how will we protect them? And this is that moment. This is 
our watch.
    And with that, Mr. Chairman, I yield back.
    Mr. Russell. Thank you.
    I will hold the record open for five legislative days for 
any members who would like to submit a written statement.
    We will now recognize our panel of witnesses. I am pleased 
to welcome Mr. James Runcie, the chief operating officer, 
Office of the Federal Student Aid, Department of Education; Mr. 
Jason Gray, chief information officer from the Department of 
Education; Ms. Silvana Gina Garza, chief information officer of 
the Internal Revenue Service; the Honorable Kenneth C. Corbin, 
Commissioner, Wage and Investment Division of the Internal 
Revenue Service; and Mr. Timothy Camus, the deputy inspector 
general for investigations, Treasury Inspector General for Tax 
Administration.
    We welcome all of you and thank you for being here this 
morning.
    Pursuant to committee rules, all witnesses will be sworn in 
before they testify. Would you please rise and raise your right 
hand?
    [Witnesses sworn.]
    Mr. Russell. Thank you. Please be seated.
    Let the record reflect that the witnesses answered in the 
affirmative.
    In order to allow time for discussion, we would appreciate 
it if you would please limit your oral testimony to five 
minutes each. Your entire written statement will be made a part 
of the record.
    And with that, I am pleased to recognize Mr. Runcie for 
five minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF JAMES W. RUNCIE

    Mr. Runcie. Thank you, Chairman Russell, Ranking Member 
Cummings, and members of the committee, for the opportunity to 
join you today. I will discuss the events that led to the data 
retrieval tool, or DRT, being disabled, the plan to securely 
restored the tool, and the actions we've taken to assist 
students, parents, borrowers, and schools.
    As the largest source of Federal student aid for 
postsecondary education in the U.S., FSA delivered more than 
$125 billion in aid to over 13 million students attending more 
than 6,000 schools last year. FSA is committed to safeguarding 
taxpayer interests as we provide access to Federal student aid 
for students and their families.
    During my tenure at FSA, we have securely managed the 
growth of the direct loan portion of the student loan portfolio 
from 9.2 million recipients and $155 billion to 32 million 
recipients and approximately $1 trillion. One of the critical 
resources that has assisted the Department in this growth is 
the DRT. It first became available in 2010 through the joint 
efforts of the IRS and FSA and provides FSA's customers an 
effective way to transfer required IRS tax information.
    Each year, about half of the 20 million FAFSA filers use 
the DRT and another 4.5 million borrowers use the tool for the 
income-driven or IDR plans. In total, over 55 million FAFSA and 
IDR applications have successfully utilized the DRT since 
inception. Using the DRT has saved millions of hours of 
applicants' time, reduced improper payments by billions of 
dollars, and lowered the verification hurdle for schools and 
their dedicated staff of financial aid professionals.
    Following a broader IRS security review last year, the 
agency contacted FSA about a potential DRT vulnerability. The 
joint goal of the IRS and FSA was to minimize the potential 
vulnerability without causing a major disruption to our 
customers. We agreed to keep the DRT operational while 
increasing the monitoring of the tool for suspicious activity.
    The IRS and FSA have evaluated many solutions that could be 
integrated with both applications and would increase the 
protection of taxpayer information. Many solutions did not meet 
the required security and privacy threshold or resulted in too 
many applicants being unable to access Federal Student Aid.
    In February, we agreed to develop and implement an 
encryption solution. This solution would be employed for the 
2018-19 award year beginning October 1, 2017. The IRS and FSA 
also agree that we would continue to monitor the applications 
for the current award years and still allow for DRT use.
    On March 3, the IRS alerted FSA of suspicious activity 
related to the DRT and suspended its use. The suspicious 
activity involved bad actors who illegally obtained personal 
information elsewhere and began filling out FAFSAs in order to 
access taxpayer information from the IRS through the DRT. This 
information could then be used to file fraudulent tax returns.
    I want to reiterate that we have no evidence that any 
personal information from the Department systems were accessed. 
However, with evidence that criminals were starting to exploit 
the potential vulnerability of the DRT using the tool was no 
longer an option. The solution to bring back the DRT allows tax 
information to be electronically transferred, but it will 
encrypt the information and hide it from applicants' view.
    For the DRT--for the IDR application, we are targeting the 
end of May to have the DRT functionality available to 
applicants. For the FAFSA we are scheduled to meet the October 
1st timing for the '18-'19 award year launch. Due to benefit 
and risk considerations, the current award year of '17-'18 will 
not have the DRT available for the remainder of the award year.
    Consequently, we are reminding students, parents, and 
borrowers that they can still apply for aid and repayment plans 
without the DRT. Our ongoing efforts involve utilizing all of 
our communications resources, digital properties and vendors, 
and also leveraging the financial aid community. The Department 
also issued a communication to schools extending flexibilities 
regarding verification procedures.
    I appreciate the opportunity to provide you with this 
information, and I welcome any questions you may have here 
today. Thank you.
    [Prepared statement of Mr. Runcie follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Russell. Thank you.
    And the chair now recognizes Mr. Gray for five minutes.

                   STATEMENT OF JASON K. GRAY

    Mr. Gray. Thank you, Chairman Russell and Ranking Member 
Cummings and members of the committee. I am Jason Gray, CIO for 
the U.S. Department of Education, a position I have had the 
privilege of holding since June of 2016. I appreciate the 
opportunity to speak with you today on the cybersecurity 
incident that led to the shutdown of the IRS data retrieval 
tool.
    As the CIO, I embrace and support the Department's mission 
of promoting student achievement and preparation for global 
competitiveness, fostering educational excellence, and ensuring 
equal access by ensuring that we apply information technology 
effectively, efficiently, and securely. I take this 
responsibility seriously and understand that this includes the 
entire Department, including Federal Student Aid and all 
principal and support offices.
    When we became aware that the IRS had confirmed that tax 
data accessed through the FAFSA link to the DRT may have been 
used to fraudulently file tax returns, we immediately activated 
our incident response processes. This involved coordination of 
Security Operations Center resources to gather forensic data 
and to gain a better understanding of the incident. We held 
daily meetings to facilitate communication between the 
technical staff of my office, Federal Student Aid, and the IRS. 
Additionally, we reported the incident to the office--to our 
Office of the Inspector General and to the United States 
Computer Emergency Readiness Team at Homeland Security.
    While the Department systems were involved, this was in 
essence a scheme directed at retrieving tax data from the IRS. 
There is no evidence that the malicious actors were able to 
access any personal information from the Department systems. I 
am confident that the personal information the Department has 
on borrowers, students, and parents remains appropriately 
protected.
    I will describe several actions we have taken to further 
strengthen and enhance our cybersecurity program to protect 
sensitive data, including PII, that is managed by the 
Department.
    Incident response is a priority for the Department. In 
2015, we created an incident response planning workgroup to 
address cybersecurity incidents and data breach response 
processes. In 2016, the Department conducted two incident 
response tabletop exercises that helped us refine our incident 
response process through the development of lessons learned and 
identification of actions the Department needed to enhance our 
overall incident response process.
    The Department has implemented a number of technical 
controls and solutions to detect policy violations, 
unauthorized changes, and unauthorized access to the 
Department's primary network. These include a data loss 
prevention solution, which restricts users from sending emails 
that contain sensitive PII such as Social Security numbers 
outside of the Department.
    In 2016, the Department also implemented network access 
control, which prevents connection by any unauthorized device 
to the network. A third solution, web application firewalls, 
has been implemented, and we are transitioning web portals and 
web applications to be protected by those firewalls.
    The Department has partnered with DHS on the implementation 
of automated solutions for continuous diagnostics and 
mitigation, which will enable us to continuously monitor our 
network for intrusions and malicious activity. The Department 
also actively leverages multiple DHS-provided shared security 
services.
    I thank you for the opportunity to discuss the 
cybersecurity incident that affected the DRT. The Department of 
Education and the IRS continue working together to continuously 
enhance the security and privacy protections around this 
important capability. I am confident that the technical 
solution currently being worked will achieve this goal. I would 
be pleased to answer any questions you may have.
    [Prepared statement of Mr. Gray follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Russell. Thank you.
    The chair now recognizes Ms. Garza for five minutes.

                STATEMENT OF SILVANA GINA GARZA

    Ms. Garza. Chairman Russell, Ranking Member Cummings, and 
members of the committee, thank you for the opportunity to 
appear before you today to discuss the cybersecurity incident 
associated with the Federal Student Aid data retrieval tool, or 
DRT. I have been a public servant for over 32 years, and I am 
information technology executive for the last 17. Recently, I 
became the chief information officer, having served as the 
deputy CIO for the four years prior.
    During this time, I have seen a dramatic change in the 
number and types of attacks fraudsters and criminal enterprises 
use to try to get the data we are committed to protecting. As 
the tactics have changed, the IRS's attitude and approach 
towards cybersecurity and refund fraud have also changed. We 
understand that the enemy is ever-changing and that we must 
stay diligent in continually assessing our risk posture and 
improving our defenses. We know that we are--we all share the 
responsibility to ensure that cybersecurity is embedded in 
every part of our operation.
    Stepping into the role of CIO eight months ago, I 
established two priorities: cybersecurity and delivering a 
successful filing season. Having been an executive in the 
Business Operating Division, I appreciate the delicate balance 
between meeting taxpayer needs with quick and convenient access 
to online programs and securing our systems.
    We did not take lightly the decision to disable the DRT 
tool. We knew that doing so have the potential to disrupt 
millions of students applying for Federal financial aid. Even 
so, I believe we made a sound decision, one which would protect 
the data of approximately 175 million Americans. This is our 
highest priority.
    I appreciate your decision to conduct a public hearing on 
the subject, as I believe it is critical that we continue to 
raise awareness of the widespread cyber and identity theft 
threats we are facing across the globe today. Every day, 
thousands of individuals fall victim to identity theft. 
Government and private sector companies are all being bombarded 
with cyber attacks. We in the IRS have a front row seat. Every 
day, the IRS receives and defends on average a million attempts 
to penetrate our systems. Identity theft continues to be a 
major threat to our tax administration efforts.
    When we first became concerned with the level of 
authentication protecting the data retrieval tool, we assessed 
the risk to determine if we should shut down the application. 
Our practice has been to shut down the application of concern 
until we have mitigated the risk. In prior situations, no other 
agency was involved. This situation was different. The 
Department of Education was highly dependent on the data 
retrieval tool for the success of its program and to serve its 
customers. We would not make a decision to shut down the 
application without engaging the Department of Education in the 
decision process.
    We discussed the need to raise the level of authentication 
with the Department of Education. Additionally, we discussed 
the fact that this could be done at either the Department of 
Education website or at the point the applicant invokes the DRT 
tool. The Department of Education needed to have a user-
friendly solution in place. This made it undesirable to 
implement a solution that would cause about 75 percent of 
applicants to be unable to complete the process. We continued 
to collaborate with the Department of Ed to find an alternative 
solution to protect the data.
    At that time, there was no evidence of data loss or fraud 
so we agreed to not shutdown the application while we worked on 
an acceptable solution. We were always clear that the moment we 
had evidence of data loss or fraud, we would turn off the data 
retrieval tool. On March 3, having confirmed an incident of 
fraud, we turned off the application. Details of the incident 
and activities leading up to the decision to shut down the 
application are in the written testimony.
    In conclusion, protecting data is our highest priority. 
This threat is persistent and ever-changing, and the IRS 
remains diligent and ever watchful. The portion of the funds 
Congress provided last year to support cybersecurity has helped 
us implement tools and processes that have enhanced our 
capabilities, but there will always be more work to be done.
    Chairman Russell, Ranking Member Cummings, members of the 
committee, this concludes my oral testimony. I will be happy to 
answer your questions.
    Mr. Russell. Thank you. The chair now recognizes Mr. Corbin 
for five minutes.

                 STATEMENT OF KENNETH C. CORBIN

    Mr. Corbin. Chairman Russell, Ranking Member Cummings, and 
members of this committee, I am the new commissioner of the 
IRS's Wage and Investment Division, having started this 
position at the beginning of the year. My responsibilities 
include overseeing the processing of tax returns, issuance of 
refunds, preventing and detecting refund fraud, providing the 
best possible taxpayer service. Thank you for this opportunity 
to testify.
    My colleague, Ms. Garza, has described the work the IRS is 
doing in collaboration with the Department of Education to 
secure the DRT. I will put that in a broader context of how we 
are working to save at all of our programs where we share 
taxpayer information. I will also update the committee on our 
efforts to help taxpayers who may have been affected by the 
incident earlier this year involving the DRT.
    An important focus of the IRS's efforts to protect taxpayer 
data is the ongoing battle against stolen identity refund 
fraud. We have made steady progress of the last few years 
against this threat, but as many colleagues noted, this threat 
is constantly evolving. To address this challenge, the IRS has 
worked to increase our ability to monitor, detect, analyze 
suspicious activity within our systems. Congress helped us by 
approving $290 million in additional funding in 2016, which 
included $95 million to improve cybersecurity. We have used a 
portion of that funding for monitoring equipment and other 
capabilities that are more sophisticated than we previously 
had. This is helping us detect unusual activity in our various 
online tools and applications more quickly.
    Despite all this progress we've made, we realize we cannot 
relax the fight against identity theft. We are finding that, as 
the IRS enhances return processing filters, catches more 
fraudulent returns at the time of filing, criminals attempt to 
become more sophisticated at mimicking taxpayers' identities so 
they can evade those filters and successfully obtain fraudulent 
refunds. Therefore, the IRS is working not just to react better 
and faster but also to stay ahead of the criminals.
    In that regard, we've also undertaken a broad effort to 
review authentication practices for programs where we share 
taxpayer information and strengthen those practices where 
necessary. Student aid is an area where we have been concerned 
about the ability of bad actors to fraudulently obtain taxpayer 
information. That led us beginning last fall to more closely 
monitor activity on the DRT and work with the Department of 
Education to make the DRT more secure. In investigating the 
incident earlier this year involving the DRT, we found that the 
data obtained through unauthorized use of the tool was in some 
cases used to attempt to file false returns.
    Our strengthened fraud filters have stopped a significant 
number of questionable tax returns by filers who access the 
DRT. We are working to determine whether any of those returns 
are in fact fraudulent. Our analysis of the suspicious activity 
involving the DRT found approximately 100,000 individuals may 
have had their taxpayer information compromised.
    While we have indications that a large number of these 
taxpayers are--in all likelihood did not have any information 
compromised, in an abundance of caution, we have mailed letters 
to all of these taxpayers. We wanted to tell them about the 
possibility of unauthorized activity related to their personal 
information so they can take steps to secure their data. We 
also offered them free credit monitoring. Along with notifying 
these taxpayers, the IRS is marking their accounts to provide 
additional protection against the possibility that an identity 
thief could file a false return using their information.
    We also recognize that many families trying to apply for 
student aid have been inconvenienced by the decision to shut 
off the DRT while we work to improve security for the tool. In 
the interim, families can still complete the application for 
student financial aid by manually providing the requested 
financial information from copies of their return. Although we 
realize this is not as convenient as using the DRT, we have a 
responsibility to ensure the DRT and all of our online tools 
are fully protected from identity thieves.
    Chairman Russell, Ranking Member Cummings, and members of 
this committee, that concludes my statement. I will be happy to 
take your questions.
    [Prepared joint statement of Mr. Corbin and Ms. Garza 
follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Mr. Russell. Thank you.
    The chair now recognizes Mr. Camus for five minutes.

                 STATEMENT OF TIMOTHY P. CAMUS

    Mr. Camus. Thank you. Chairman Russell, Ranking Member 
Cummings, and members of the committee, thank you for the 
opportunity to testify on the topic of the recent free 
application for Federal Student Aid data retrieval tool breach.
    On average, each year the IRS issues approximately $400 
billion in refunds, processes 242 million tax returns, and 
collects over $3 trillion in revenue. In addition to the 
significant amount of money that flows through the IRS each 
year, the taxpayers' IRS information is extremely valuable to 
identity thieves. As a result, the IRS has become a persistent 
target of cyber criminals located all over the world.
    Over the past several years, TIGTA has conducted numerous 
investigations of a variety of cyber attacks on the IRS. For 
example, in May 2015 criminals launched a coordinated attack on 
the IRS e-authentication portal that was estimated to impact 
110,000 taxpayers. Further investigation revealed that more 
than 700,000 taxpayers were impacted by abuses of the system by 
multiple bad actors over an extended period of time.
    In January 2016, the IRS e-file PIN application was 
exploited. The IRS estimates the exploitation resulted in the 
issuance of over 100,000 e-file PINs that were used it to file 
fraudulent tax returns seeking more than $100 million in 
fraudulent refunds.
    On January 25, 2017, the IRS noticed unusual activity on 
the FAFSA data retrieval tool. The IRS reported this 
observation to the Department of Education. The Department of 
Education advised the IRS that they believed the activity was 
legitimate activity.
    Then, on February 27, 2017, it was determined that the 
FAFSA data retrieval tool was in fact being used in order to 
steal taxpayers' adjusted gross income, or AGI, information. 
Taxpayer AGI information is extremely valuable to identity 
thieves as it is needed by criminals in order to authenticate 
themselves for the purpose of filing fraudulent tax returns and 
stealing refunds.
    Due to this activity, in early March 2017, the IRS made the 
decision to take the data retrieval tool offline. It is 
estimated at this time that as many as 100,000 taxpayers may 
have had their AGI information stolen through this 
exploitation.
    Through the benefit of hindsight, all of these cyber-
related incidents that I've discussed reveal that although the 
IRS conducts electronic risk assessments of its tax information 
sharing sites, it has had difficulty in identifying proper 
levels of risk associated with the various applications. That 
is because the struggle with determining the risk, then 
necessary authentication requirements, all the while balancing 
the ease of use for taxpayers, continues to be the challenge.
    As we learn from our investigations how cyber criminals are 
defeating the various authentication and security requirements, 
we share what we learn with the IRS in order to help them shore 
up their applications. One thing is crystal clear. There is a 
determined criminal element paying close attention to 
electronic tax administration, and I believe these criminals 
will continue to present challenges to the future of efficient 
and secure electronic tax administration.
    In summary, we at TIGTA take seriously our mandate to 
protect American taxpayers and the integrity of the IRS. As 
such, we plan to provide continuing investigative and audit 
coverage in the area of cybersecurity, and we look forward to 
continued discussions on ways we can fight these types of cyber 
crimes in the future.
    Mr. Chairman, Ranking Member Cummings, and members of the 
committee, thank you for the opportunity to share our views, 
and I look forward to answering questions.
    [Prepared statement of Mr. Camus follows:]
  [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
  
    Mr. Russell. Thank you.
    The chair will now recognize himself or five minutes.
    Ms. Garza, you know, as I look at this situation--and you 
certainly have a lot of experience both in the CIO arena, as 
well as in public service, and we do appreciate that. A lot of 
times public servants are taken for granted. But with your 
broad experience, that is not taken lightly. But still, as we 
examine this issue, we are trying to get to who is responsible 
for making the operational and security decisions for the data 
retrieval tool?
    Ms. Garza. Sir, as I said in my opening testimony, we are 
all responsible for ensuring that cybersecurity is our top 
priority. As a group, we look at every risk assessment, we 
evaluate the situation, and we make the decisions as to what 
level of risk we're willing to take with the application that 
we are talking about.
    Over the last year since Get Transcript, we've become much 
more conservative, but we evaluate the situation, we discuss 
it, and we determine what actions we need to take.
    Mr. Russell. Now, in your testimony you had mentioned that 
this was unique because, unlike attempts or attacks on the IRS 
and the different departments within the IRS, this involved a 
different department. So you had one end of the pipe and the 
other end of the pipe. So when you learned in September 2016 
that it was possible to, with, quote, ``little stolen personal 
information,'' for a hacker to pose as a student and access the 
DRT tool and the data stored on that tool, why did you not move 
to immediately secure the tool through encrypting or otherwise 
masking the sensitive information accessible through the DRT?
    Ms. Garza. So there was a couple of actions that we took at 
that time. We--first of all, there was no data loss at the 
time. We had no evidence of fraud at the time. We immediately 
----
    Mr. Russell. Well, there was no evidence of fraud but that 
doesn't mean that there wasn't. I mean, you had a clear 
indication that something was awry, yes or no?
    Ms. Garza. We looked at the analytics and we looked at all 
of the data that we had available to us at the time, and we did 
not see anything suspicious. We contacted the Department of 
Education. Our--both cyber organizations started to work to 
look at the data, and the data did not reveal that there was 
any kind of penetration going on at that time.
    Mr. Russell. Well, didn't--and I guess--you know, and here 
is the information I am speaking at specifically. You know, the 
isolated case, did it not result in an indictment that is still 
processing in the courts from September 13?
    Ms. Garza. It was a single case, and they did not get the 
data.
    Mr. Russell. Well, I guess then let me follow on this vein 
because what I hear each of the panelists saying is that no 
data breach, no problem, and I hear Mr. Camus say 100,000, 
investigation ongoing, and fraudulent returns filed, and I will 
come back to some of that. But, Mr. Gray, to what extent do you 
think that the Department is responsible for securing the data 
accessible on FAFSA.gov and other web-based applications?
    Mr. Gray. One hundred percent we're responsible for 
securing our data.
    Mr. Russell. Okay. But yet we see what the Department of Ed 
saying, hey, give us the tool, we have the IRS saying here is 
your tool and you have got data coming out the spigot on one 
end, you think it is secure on the other, there is a leak, and 
yet it took you how many months from September to February to 
even recognize and say, no, we thought it was legitimate in 
September but now we think we might have a problem. That is a 
big period of breach. So would you say that you have a 
responsibility for--you do have that responsibility, but that 
wasn't perceived as such in September?
    Mr. Gray. It was perceived that there was a potential 
vulnerability in September, October, and the two departments 
worked together to create a solution that would prevent that 
vulnerability from being exploited. It did--when it became an 
exploited vulnerability, which was in March, is when we took 
the appropriate action to bring it offline.
    Mr. Russell. And yet it wasn't shut down when you had 
indication in the start of a new financial aid season. And I 
guess what I would like to do is--you know, Mr. Runcie, you 
said that there was no evidence that info was accessed, but 
were fraudulent returns filed with regard to this data?
    Mr. Runcie. Mr. Chairman, I can't tell you if fraudulent 
returns were filed or not. What I can tell you-- because we're 
not privy to that information. What we did was we analyzed the 
Social Security numbers, IP addresses. We did a pretty 
exhaustive examination looking at indicators of risk, and we 
returned that information to the IRS so that they could 
complete some of their analysis.
    In September, as I mentioned earlier in my oral comments, 
we at that point probably had filed 50 million applications 
using the DRT. So we filed a substantial amount of applications 
using the DRT going back seven years to 2010.
    It is an evolving landscape and it's quite possible, as 
we've said, that the criminals and the fraudulent activity, you 
know, they're innovative and so things change. But over that 
period of time there wasn't any documented material criminal 
activity on the DRT. When that was found and confirmed, it was 
shut down. So there's a history there that--one we relied on 
even though we continued to monitor it, and we balanced that 
against the risk of shutting off the tool and all the 
implications around shutting off the tool.
    Mr. Russell. Well, there is always a risk of protecting 
taxpayers, and I want to be respectful of the time here. But 
before I turn it over to the ranking member, you know, what it 
appears is that we are not identifying that we had a breach and 
it has made us more vulnerable. And with that, we will come 
back to some of that at a later time.
    I would like to recognize the ranking member, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Mr. Runcie, this past September, the inspector general 
issued a scathing report warning that student loan companies 
were using the Federal aid website to take advantage of 
students. The IG explained the tactics these companies were 
using to commit possible fraud. First, the loan companies would 
obtain the logon credentials students used to access their 
accounts. Then, the loan companies would change or create new 
credentials to let them take control of the student accounts. 
These loan companies took advantage of the students for 
commercial gain in many different ways. Now, Mr. Runcie, are 
you aware of that report?
    Mr. Runcie. Yes, I am.
    Mr. Cummings. And in one case the IG reported that a loan 
consolidation company, and I quote, ``changed the mailing 
address, phone number, and email address for borrowers so that 
it would be difficult for borrowers to be contacted by their 
own loan servicers.'' Another company charged students $60 
monthly service fee to, and I quote, ``put their loans into 
forbearance with the stated promise of eventually enrolling 
them in the Public Service Loan Forgiveness or some other debt 
reduction program even though the borrowers in some cases were 
not qualified for these programs.''
    Now, Mr. Runcie, when you read this report, were you 
troubled by these companies that did this to these students?
    Mr. Runcie. Ranking Member Cummings, yes. I think we were 
all troubled. And we continue to work with the IG. We have a 
potential solution or mitigating action that we're going to 
take later this month. So we understand what the issue is. But 
as you mentioned earlier, there is the technicality of someone 
who potentially signs up for these services. So whether it's 
through power of attorney or some other agreement, there is 
sort of that technical issue that we have to deal with.
    Mr. Cummings. So the IG reported that it could not 
prosecute these loan companies based on technicalities. For 
example, many of these companies required students to sign 
those powers of attorney in order to get the loans. The 
companies that used these powers of attorney to improperly 
access the student accounts. Now, Mr. Runcie, it should not be 
necessary for students to sign powers of attorney to get 
student loans. Do you agree with that?
    Mr. Runcie. Yes, I absolutely agree. And I think one of the 
approaches that we've taken is to go heavy on user education. I 
mean, ultimately, all these services that are being provided 
can be done free. But again, through aggressive marketing 
tactics and so forth, it's quite possible that there are number 
of people who are not aware that they can get these services 
done free. So we've been real focused on user education, and in 
addition, you know, we're going to make sure that there's 
information out there that the IG can leverage in terms of 
going after some of the bad actors that are out there, and 
that's what I referenced a little bit earlier without actually 
being specific.
    Mr. Cummings. I got you. Now, what other actions have been 
taken so that going forward these student loan companies will 
be held accountable for these abusive activities? I just think 
there is something about this that just tears at my heart 
because I see so many--a sit on the board of a college, and I 
see young people having to drop out of school because they 
don't have money and they are struggling. They just want to go 
out there and be all that God meant for them to be. And not 
only do they have to fight people who are supposed to be 
helping them, but then they lose the opportunity. And they 
don't lose it maybe for a week or a day. They lose it for a 
lifetime. That is why I am so concerned about this.
    Now, what assistance can Congress provide to help hold 
student loan companies more accountable? What can we do? Do you 
need some help?
    Mr. Runcie. Yes. I mean, you know--while I have some 
thoughts ----
    Mr. Cummings. Give us your thoughts because we have a duty. 
Once we find out that there are things that we can do, we need 
to explore to try to figure out whether they are practical to 
be done ----
    Mr. Runcie. Yes, well ----
    Mr. Cummings.--but we have got to know what they are.
    Mr. Runcie. Yes. I mean, so there is that technicality. I 
don't know if there is a way to sort of limit the ability to 
transfer the authority of giving away your password and your 
information so that others can provide those services. If there 
is some, you know, legislative process to address that, then, 
you know, I would be an advocate of it.
    I think the other thing, though, is you've got a balance 
that potentially with there may be a population--and I know 
it's--it would be a segment, a small segment of the people that 
are being contacted who may actually need some guidance for 
some--whether it's loan consolidation or providing some other, 
you know, value within the Federal Student Aid system. There 
may be some small amount, and we would have to sort of think 
about the impact on those that might need some level of 
assistance.
    But again, I think the bigger problem is what you 
indicated. There is the potential for people to be put in a 
situation where they're harmed for a very long period of time 
because they're not educated about some of the options out 
there to do it by themselves.
    Mr. Cummings. So would you think legislation regarding 
the--doing away with the power of attorney requirement would be 
appropriate?
    Mr. Runcie. I think it would be something that we should 
consider. You know, again, I--we'd have to do some analysis, 
you know, and it could be surveys or whatever. There are--like 
I said, there's potentially a group of some of the most needy 
who may need some assistance, and I can't calibrate that right 
now. But I think, as you said, the bigger problem is that 
there's a lot of them that aren't aware that they don't need to 
pay for these services and are being exploited.
    Mr. Cummings. Mr. Chairman, I would hope that we would 
pursue this even further. I think it would be legislative 
malpractice for us not to protect these students. It is 
ridiculous that we--we have got a do all that we can. I am sure 
that you will work with us and everybody up there on our panel 
work with us try to make sure that happens.
    The other thing that we have got to do, Mr. Chairman, we 
can't have just a hearing with these folks. We have got to 
bring in these people that are messing over our young people 
and playing games with their lives. And so I look forward to 
working with you and Chairman Chaffetz as we move forward.
    Mr. Russell. And I thank the ranking member and agree that, 
you know, it extends even beyond the students. It extends 
really to all Americans. This is very private data and even to 
their parents and others and look forward to working that 
effort.
    The chair would like to recognize now the gentleman from 
North Carolina, Mr. Walker, for five minutes.
    Mr. Walker. Thank you, Mr. Chairman.
    Mr. Camus, I want to ask you to describe the following 
three incidences, but I would just like for you to confirm them 
if you would, please, specifically the ones starting in 
September 2016. Was that incident involving the data retrieval 
tool, was that criminal in nature?
    Mr. Camus. Yes, it was.
    Mr. Walker. Okay. Did the incident result in an indictment?
    Mr. Camus. Yes, it did.
    Mr. Walker. Okay. There was also one that was identified in 
November 2016 and the third one was on January 25, 2016, by 
which a high number of taxpayer identification numbers were 
identified as being processed on the FAFSA that raised red 
flag. Did this result in a notification of a major incident to 
Congress?
    Mr. Camus. No, it did not.
    Mr. Walker. Okay. Ms. Garza, given the three separate 
incidents as described by TIGTA that predated the major 
incident that resulted in the DR tool not being taken offline 
on March 3, the question is why was the data retrieval tool not 
taken offline earlier?
    Ms. Garza. So ----
    Mr. Walker. Microphone, please. And if you would, just 
could you pull that microphone a little closer and speak into 
it there? Thank you.
    Ms. Garza. Thank you, sir. Congressman, in regard to the 
September incident, we took immediate action by analyzing the 
data that we have, and we found that there was no evidence of a 
breach. The data was not lost. And we started working with the 
Department of Education to strengthen the authentication 
process for the data retrieval tool.
    I am not aware of the incident in November and so I will 
have to go back and look at what the findings were for that.
    Mr. Walker. Yes. I don't understand the fact as far as 
saying, well it wasn't breached, it wasn't breached. I was just 
listening thinking of my family back home. If I have got a 
security system, yet we have still people trying to break into 
that, at some point I am going to be concerned, say, well, oh, 
nothing was taken, nobody was hurt, nothing was damaged. It 
doesn't make sense to me that there is not more action being 
taken here. Shouldn't the IRS be concerned about criminal 
misuse of the tool being sufficiently perked? Is that not 
something that is important?
    Ms. Garza. Protecting the taxpayer data is our top 
priority. We had to--we're trying to balance the protection of 
the taxpayer data with the use of the tool, and that is why we 
reached out to the Department of Education to have discussions 
about what we could take. We saw this is action that we needed 
to take immediately, and we did take that--those actions to 
come up with--to try to come up with a solution that would 
mitigate the risk.
    Mr. Walker. Now, the keyword is trying to come up with a 
solution. I am not sure we have arrived at that. And according 
to Mr. Runcie's written testimony, after the October 2016 
discovery that the DRT could potentially be vulnerable, the IRS 
increased monitoring of the tool for any suspicious activity. 
Could you describe what that increased monitoring looked like?
    Ms. Garza. That is correct. We--actually, we engaged with 
our TIGTA friends and asked them, as well as the new cyber 
analytics team that we have in place, to start looking for 
suspicious activity. And actually it was because of that 
increased monitoring that we had done that we identified that 
there was suspicious activity occurring in January.
    Mr. Walker. Yes. There was an incident also in February of 
this year, I believe. Was that discovered by accident?
    Ms. Garza. We have mechanisms in place, multilayer defense 
mechanisms. One of the mechanisms is a notification to the 
address of record to the individual whose data has been 
identified. That actually led us to identify that we had an 
issue. As we investigated that issue, we were able to find that 
in fact there was a fraud that had taken place and we 
immediately shut down the application.
    Mr. Walker. So for the record you are saying that no, that 
it wasn't discovered by accident?
    Ms. Garza. There was a notice that was generated to the 
taxpayer that had that taxpayer come in and notify us that 
there was something amiss.
    Mr. Walker. To me this is not only a question of taking 
responsibility for the IRS and Department's web-accessible 
services and data but of understanding the cybersecurity risks 
these online services and applications face. And I certainly 
agree with the Ranking Member Cummings. These are young 
people's lives at stake, and to--as they are coming out and 
getting started, to be able to put them on a path where they 
are having to unravel this, I hope there is more of a sense of 
urgency to deal with this issue than what presently seems to be 
at the time.
    With that, Mr. Chairman, I yield back.
    Mr. Russell. The gentleman yields back.
    And the chair would now like to recognize the gentlelady 
from New Jersey, Mrs. Watson Coleman, for five minutes.
    Mrs. Watson Coleman. Thank you very much, Mr. Chairman, and 
good morning to all of you.
    Mr. Runcie, in September the inspector general reported 
that student loan companies misused the Department's system to 
take advantage of students. As reprehensible as this finding 
is, this is not the first time student loan companies have 
acted against the best interests of the students they are 
supposed to be serving. In 2015, the Consumer Financial 
Protection Bureau and the Department conducted a public inquiry 
finding a vast universe of complaints regarding loan servicers.
    And even more concerning, this current administration has 
withdrawn a series of policy memos that have been issued from 
the previous administration that were put in place to 
strengthen protections for student loan borrowers. Mr. Runcie, 
what impact would this action have on student loan borrowers? 
And do you think that this could aggravate the issue of 
predatory lending practices?
    Mr. Runcie. Well, in terms of our focus, you know, our 
focus from a servicing perspective is to make sure that we have 
the highest quality outcomes for all the students and 
borrowers. And, you know, we've done a--we've put in place a 
series of actions over the years, and right now, we're going 
through a re-competition among the servicers that you 
referenced. Because we're in a procurement process, I can't 
really talk about specifics, but I will just reiterate that we 
are focused on having the highest quality product that we can 
from a servicing perspective and generating the best outcomes 
for students and borrowers.
    Mrs. Watson Coleman. Are you aware of the rollback of 
certain oversight and accountabilities that had been instigated 
or initiated in this administration that are overturning some 
of those accountabilities that were designed to protect 
students and vulnerabilities?
    Mr. Runcie. I personally am not aware of any rollbacks.
    Mrs. Watson Coleman. Is there anyone on this panel that has 
any knowledge of any recent actions on the part of either this 
administration through the White House or the Department of 
Education that will negatively impact the accountability of who 
is and who is not a good person or entity to work in this 
space? Is that a no? There is no one?
    Ms. Garza. No.
    Mr. Gray. No.
    Mr. Corbin. No.
    Mrs. Watson Coleman. Interesting. Okay. This January, the 
Consumer Financial Protection Bureau filed a lawsuit against 
one of the Nation's largest servicers of Federal and private 
student loan Navient. According to the lawsuit, Navient cost 
borrowers billions of dollars by withholding information about 
income-based repayment programs that could have lowered 
borrowers' monthly payments. Instead, they reportedly pushed 
borrowers into forbearance, suspending their payments but not 
the accrual of the compounding interest. Mr. Runcie, are you 
familiar with these allegations in CFPB's lawsuit?
    Mr. Runcie. Yes, I'm familiar with those allegations.
    Mrs. Watson Coleman. Navient services the student loans of 
more than 12 million borrowers and roughly 6 million of whom 
are serviced to contractors with the Department of Ed. Is that 
so?
    Mr. Runcie. I believe that's right.
    Mrs. Watson Coleman. And Navient sought to dismiss CFPB's 
complaint as part of its defense. It alleged, and I quote, 
``the servicer acts in the lender's interest and there is no 
expectation that the servicer will act in the interest of the 
consumer.'' Is that right?
    Mr. Runcie. I'm sorry. I didn't hear the last part.
    Mrs. Watson Coleman. The servicers--the servicer ----
    Mr. Runcie. Yes.
    Mrs. Watson Coleman.--acts in the lender's interest and 
there is no expectation that the servicer will act in the 
interest of the consumer.
    Mr. Runcie. Yes, I understand that statement. In the case 
of, you know, private lenders, a servicer would be acting on 
the behalf of private lenders. That's right.
    Mrs. Watson Coleman. Does it concern you that companies 
like Navient publicly claim they have no responsibility to act 
in the best interest of the students they are supposed to be 
serving?
    Mr. Runcie. We are currently in a procurement process and I 
can't make a comment on that, of which Navient is also in the 
procurement process so I can't make a comment on that. We're 
making decisions about our servicers.
    Mrs. Watson Coleman. All right then. I would expect that 
what you were going to do is to look at information such as 
this and not--we are not going to ask you again about someone 
like Navient even though you can't express whatever is 
happening with regard to the company right now.
    Mr. Runcie. You know, what I can say is, I mean, we look at 
past performance, we look at responsibility metrics. There are 
criteria that we have to look at in terms of the process but --
--
    Mrs. Watson Coleman. Well, I don't know by number the 
executive order or the rollback that just took place as it 
relates to looking back at a company's business and reputation, 
but I think that is something you need to look at to see 
whether or not it does negatively impact your ability to ensure 
that the best is taking care of the best.
    Mr. Runcie. Absolutely.
    Mrs. Watson Coleman. Thank you. And with that, I yield 
back.
    Ms. Foxx. [Presiding] The gentlewoman yields back.
    The gentleman from Ohio, Mr. Jordan, is recognized for five 
minutes.
    Mr. Jordan. I thank the chair.
    Mr. Corbin, when did the IRS notify TIGTA that you guys had 
a problem?
    Mr. Corbin. Sir, the notification to TIGTA for the incident 
on February 27 happened that same day.
    Mr. Jordan. So you guys talked to Mr. Camus and his guys on 
February 27 of this year?
    Mr. Corbin. I did not personally talk to Mr. Camus ----
    Mr. Jordan. Someone at the IRS?
    Mr. Corbin.--but someone at the IRS did, yes, sir.
    Mr. Jordan. Got it. And how many taxpayers are potentially 
harmed by the hacking and the breach that took place?
    Mr. Corbin. Approximately 100,000, sir.
    Mr. Jordan. Hundred thousand people. And then the law 
requires you to notify Congress when something like this 
happens, doesn't it?
    Mr. Corbin. I'm not familiar with that, sir.
    Mr. Jordan. Well, I will read it to you. This is a letter 
from your boss, Mr. Koskinen. The Federal Information Security 
Modernization Act and criteria provided in the Office of 
Management and Budget guidance says this, that not later than 
seven days after the date of an incident you should notify 
Congress, right?
    Mr. Corbin. Correct. Yes, sir.
    Mr. Jordan. Okay. So you are supposed to do it and you are 
supposed to do it within seven days. Is that accurate?
    Mr. Corbin. That sounds accurate, yes, sir.
    Mr. Jordan. Okay. It doesn't just sound accurate. That is 
the law.
    Mr. Corbin. Yes, sir.
    Mr. Jordan. So when did you tell Congress?
    Mr. Corbin. Sir, I believe we notified Congress within that 
seven-day timeframe from what I know.
    Mr. Jordan. Really. Is that true, Mr. Camus?
    Mr. Camus. Mr. Jordan, I'm not sure when they made 
notification to Congress.
    Mr. Jordan. Because we don't have it until April 6, which 
is a lot longer than seven days. You learn on February 27, you 
tell Congress on April 6.
    Mr. Corbin?
    Mr. Corbin. I'd have to go back and check that, 
Congressman.
    Mr. Jordan. Well, that is important, right?
    Mr. Corbin. Yes, sir.
    Mr. Jordan. Mr. Koskinen testified on April 6 and that is 
when he told us.
    Mr. Corbin. Well, I ----
    Mr. Jordan. He testified in front of the Senate.
    Mr. Corbin. Yes, Congressman. I'd have to go back and take 
that back and confirm that for you, sir.
    Mr. Jordan. Well, I don't know that--well, we would 
appreciate that, but this is when Congress first learned was on 
April 6 that there had been an incident. And here is what the 
statute says. It says, ``not later than seven days after the 
date on which there is a reasonable basis to conclude that a 
major incident has occurred.'' Would you describe this as 
major, Mr. Camus?
    Mr. Camus. The fact that it impacted potentially 100,000 
people, I would say so.
    Mr. Jordan. Same here. So we are wondering why you waited 
so long.
    Mr. Corbin. I don't have an answer to that, Congressman. 
I'll go back and find out for you.
    Mr. Jordan. Well, we would like to get that because, 
frankly--well, let me turn to Mr. Camus.
    Mr. Camus, is this the first time the IRS has waited to 
tell Congress some important information?
    Mr. Camus. Mr. Jordan, I'm not aware. I can't answer your 
question.
    Mr. Jordan. Well, maybe I will refresh your memory. There 
was a little incident that happened over the last several years 
where the Internal Revenue Service systematically and for a 
sustained period of time targeted taxpayers based on their 
political beliefs. Are you familiar with that situation, Mr. 
Camus?
    Mr. Camus. I am familiar with that.
    Mr. Jordan. You did an investigation into that, didn't you?
    Mr. Camus. Yes, sir.
    Mr. Jordan. A couple of investigations ----
    Mr. Camus. A couple.
    Mr. Jordan.--didn't you?
    Mr. Camus. Yes, sir.
    Mr. Jordan. Yes. And was the IRS always forthcoming in a 
timely fashion with important information in that investigation 
you did, Mr. Camus?
    Mr. Camus. We found that there were some mistakes that were 
made and some materials that should have been turned over, 
that's correct.
    Mr. Jordan. Well, that is a nice way of saying it. I 
appreciate that. You have got maybe a career in politics after 
you are done at TIGTA, Mr. Camus, with that answer.
    Let me just refresh your memory. The IRS knew there was a 
gap in Lois Lerner's emails in February 2014. They did nothing 
to stop the destruction of backup tapes, actually 421 backups. 
You remember this, Mr. Camus?
    Mr. Camus. Yes, sir, I do.
    Mr. Jordan. Because it was your investigation that 
discovered they destroyed 421 backup tapes, right?
    Mr. Camus. That is correct, sir.
    Mr. Jordan. Potentially 24,000 emails, right?
    Mr. Camus. Yes, sir.
    Mr. Jordan. And that all happened in March 2014, a month 
after they knew there was a gap in her emails. And Mr. Koskinen 
testified in April of 2014, but what you know what he told 
Congress? June 13, 2014, is that right, Mr. Camus?
    Mr. Camus. That's correct.
    Mr. Jordan. So here we have again the Internal Revenue 
Service, an agency that has a little bit of influence and 
impact on American people's lives, with a major breach that the 
law says you are supposed to tell Congress within one week, 
within seven days. And what did they do? They wait 38 days. And 
you know what--to add insult to injury, think about what 
Congressman Walker just talked about, all the suspicious 
activity that took place before February 27.
    In fact, when Mr. Koskinen testified and said, oh, we are 
putting you on notice, Congress, that there has been a major 
breach, 100,000 taxpayers potentially impacted, look at what he 
said in that testimony. He said this: April 6, 2017, Mr. 
Koskinen testified in front of the Senate Finance and said, 
quote, ``We have started working with Education in October 
telling them we were very concerned,''--very concerned--``that 
the system could be utilized by criminals.''
    So Mr. Koskinen was on notice that there was problems, 
potential problems, potential big problems. He even used the 
term ``very concerned'' clear back in October of last year. We 
have the major breach take place on the 27th when the IRS tells 
you, hey, guys, we have got to look into this; this is real. We 
have had all these things happen, suspicious activities ahead 
of time, and they don't comply with the law and tell Congress 
within a week. They wait 38 days to tell us. It is not supposed 
to be how it works, is it, Mr. Camus?
    Mr. Camus. It doesn't sound so, sir.
    Mr. Jordan. No. And the IRS--once again, the IRS is 
treating taxpayers the way they are not supposed to, and it is 
why this committee has been so focused on trying to clean up 
the mess over there and frankly I have been so focused on 
saying Mr. Koskinen has to go.
    With that, I yield back, Madam Chair.
    Ms. Foxx. Thank you, Mr. Jordan.
    Ms. Plaskett, you are recognized for five minutes.
    Ms. Plaskett. I want to thank the lovely chairwoman this 
morning for the opportunity to speak.
    Thank you all for being here. Of course, everyone on both 
sides of the aisle are very concerned about this issue. Most of 
us have children and have our own student loans or have loans 
that we are helping with the children that we care very much 
about our future, as well as our constituents'.
    I did, however, just want to touch on something that I know 
one of my colleagues spoke about just a few moments ago, Mr. 
Runcie, when they talked about the lawsuit with Navient. It is, 
however, understood that this is a lawsuit so the interest of 
both parties--you know, they both have allegations raised. But 
Navient does have a lower default rate than some of the other 
users or loan companies that--and they do have a propensity to 
loan to minority and underserved communities, is that correct? 
I understood that the default rate of the students who have 
loans with Navient is a significantly lower potentially than 
some of the other loan companies.
    Mr. Runcie. I would have to confirm that. And a lower 
default rate is better, right?
    Ms. Plaskett. Right.
    Mr. Runcie. Yes.
    Ms. Plaskett. Yes.
    Mr. Runcie. But I'd have to confirm that.
    Ms. Plaskett. Okay.
    Mr. Runcie. And I know the portfolios aren't all the same. 
They have different compositions and so sometimes there would 
be natural, you know, differences in the default rates for the 
various services.
    Ms. Plaskett. Sure. Sure. Okay. So one thing that is really 
interesting as well, Mr. Runcie, when we are talking about the 
inspector general's report, it seems, you know, something that 
we are all very focused on. And the IG warned that the systems 
were, and I quote, ``being misused by commercial third parties 
to take over borrower accounts.'' This is something that 
Ranking Member Cummings talked about. These are things that we 
are really very keen on because these are of course students 
who are navigating a very difficult system. This is sometimes 
some of the first instances where they are really delving into 
their own finances, making decisions that are going to have an 
impact on them for the rest of their lives.
    So the commercial third parties are student loan companies 
and student loan consolidators. Is that correct when we are 
talking about ----
    Mr. Runcie. That is right.
    Ms. Plaskett.--the third parties that take over borrower's 
accounts? And less than two weeks ago this committee conducted 
an interview with the special agent in charge of conducting 
that investigation for the IG, and he explained to the 
committee that the information in these students' accounts is, 
quote, ``of commercial interest for loan consolidators.'' 
Right?
    Mr. Runcie. Yes.
    Ms. Plaskett. And that word commercial interest is very key 
to me. He also told us that student loan companies, and I 
quote, ``were controlling thousands of accounts or creating 
thousands of accounts and controlling them.'' Mr. Runcie, is 
this true? Were student loan companies actually using the 
information of individuals they are there to serve in a manner 
to control for commercial interests those accounts?
    Mr. Runcie. Yes. My understanding is that they--it's a fee-
for-service, and so to the extent that they've got 1,000 
clients, they're being charged for those services. So it would 
be a commercial endeavor.
    Ms. Plaskett. And do you have a list of the names of those 
companies that were doing that?
    Mr. Runcie. We've identified some. I don't know that we 
have an exhaustive list of those companies.
    Ms. Plaskett. Ms. Chairwoman, may I ask that we obtain a 
list of every student loan company that were involved in the 
activities?
    And, Mr. Runcie, how long would it take you to provide 
something like that to the committee?
    Mr. Runcie. I don't want to commit because I'm not sure how 
readily available ----
    Ms. Plaskett. Come on, you can't give me like, you know, an 
outside range time or anything like that? A week, two weeks, a 
month?
    Mr. Runcie. I'd say if you'd give us a month, that would be 
appreciated.
    Ms. Plaskett. Of course you would for the outside of what I 
requested.
    Mr. Runcie. Hey, I don't want to negotiate against myself.
    Ms. Plaskett. Got you. Got you. Got you. Very good.
    Ms. Plaskett. The special agent in charge also told us that 
student loan companies were, I quote, ``aggressively pursuing 
account holders and taking advantage of this.'' That sounds 
outrageous. And could you explain to me not just with the 
aggressively pursuing but what did he mean by taking advantage 
of them?
    Mr. Runcie. I don't want to speculate, but, you know, to 
the extent that they're providing services and they have 
account information, you know, they can receive correspondence 
on their behalf and make decisions on their behalf. And those 
decisions might benefit them commercially.
    Ms. Plaskett. And are any of these same companies still 
doing business with the Department of Education?
    Mr. Runcie. Not that I know of.
    Ms. Plaskett. Okay. Ms. Chairwoman, we have a 
responsibility to help protect students from the kind of abuse, 
and I am so very pleased that we are having this hearing to go 
through this. And I believe the entire committee is very keen 
on holding a follow-up hearing within the next--with the 
student loan companies that are actually engaged in these 
activities. And I hope that we can have the IG from the 
Department of Education testify about what they have found.
    Thank you very much for the information that you have 
provided us, and I hope, Ms. Chairwoman, we are able to do 
that. I yield back.
    Ms. Foxx. Thank you, Ms. Plaskett. First of all, I want to 
say thank you for your willingness to accommodate me on the 
Floor the other night. It wasn't necessary, but I appreciate 
that.
    And I believe under the committee rules you have the right 
to ask any witness for any information, and I am sure that will 
be followed up with the staff. So thank you very much.
    Mr. Hurd, you are recognized for five minutes.
    Mr. Hurd. Thank you, Madam Chairwoman.
    I apologize if I review some information that has already 
been discussed in this hearing. But raise your hand-- and this 
is for all five of you--raise your hand if you are responsible 
for FAFSA.gov.
    All right. Let the record reflect Mr. Runcie, Mr. Gray, and 
Ms. Garza raised their hand.
    Raise your hand if you are responsible for the DRT tool or 
also known as the FSA-D tool?
    All right. Let the record reflect Ms. Garza and Mr. Corbin 
raised their hand.
    In October 25, 2016 IRS, conducted an e-authentication risk 
assessment, and it concluded that the DRT tool was in need of 
stronger authentication measures. Is that correct, Ms. Garza?
    Ms. Garza. Yes, it is, sir.
    Mr. Hurd. And were steps taken to improve the 
authentication measures?
    Ms. Garza. We started to work with the Department of Ed --
--
    Mr. Hurd. You started to work with the Department of Ed. 
What steps--what did you actually do since October 25, 2016 to 
strengthen the DRT tool?
    Ms. Garza. We increase monitoring on that application so 
that we could become alerted should something--we see something 
suspicious.
    Mr. Hurd. Were those efforts successful?
    Ms. Garza. In January it was those efforts that identified 
that there was a suspicious activity occurring, and at that 
time we partnered with the Department of Ed to get our two 
cyber teams together to review that suspicious activity. And we 
were informed by the Department of Ed that that was not--it was 
normal behavior.
    Mr. Hurd. What steps are being taken now to strengthen the 
authentication of DRT?
    Ms. Garza. We have already developed and implemented an 
encryption solution on the IRS side. We are working with the 
Department of Ed ----
    Mr. Hurd. How is encryption going to help with 
authentication if you have a user that has stolen credentials?
    Ms. Garza. The authentication solution that we had looked 
at was not satisfactory to provide the usability of the 
application, so we have moved to an encryption. So unless that 
----
    Mr. Hurd. But that doesn't answer the question. The 
question is how does encryption on the backend help with 
authentication of an attacker that is using stolen credentials?
    Ms. Garza. It does not improve authentication. What it does 
do is does not allow the data to be revealed to someone other 
than the actual applicant.
    Mr. Hurd. But if you have stolen credentials and you are 
able to spoof that, you have the credentials, what are you 
doing ----
    Ms. Garza. So ----
    Mr. Hurd.--to prevent that from happening?
    Ms. Garza. There are a set of keys that--on the IRS that is 
only shared with the Department of Education. So as the 
applicant comes in and releases--tells us to release the data 
to the Department of Education, they don't have access. They 
don't have a key to de-encrypt that data. Only the Department 
of Education, once it gets to their side, that they will be 
able to de-encrypt the data.
    Mr. Hurd. Okay.
    Ms. Garza. So that applicant ----
    Mr. Hurd. So, Mr. Gray, how--you are responsible for 
FAFSA.gov.
    Mr. Gray. Yes, sir.
    Mr. Hurd. What are you doing to strengthen authentication 
if somebody has stolen credentials to actually authenticate it 
to the end-user?
    Mr. Gray. We are looking at several proactive measures to 
----
    Mr. Hurd. We are looking portends that you are doing 
something in the future. Do you have a past tense verb that you 
can use on what you have done?
    Mr. Gray. For the Department, we follow Defense in depth 
and we have a whole series of actions that we're taking to 
ensure that we protect our systems.
    Mr. Hurd. And what are those series of actions?
    Mr. Gray. Some of them I referenced in my opening statement 
regarding data loss prevention, web access firewalls ----
    Mr. Hurd. So how does data loss prevention help with 
authentication?
    Mr. Gray. It would not. For authentication for FAFSA, the--
this is the balance between--this is an application form where 
users are actually inputting their own data to gain access to 
apply for a student loan.
    Mr. Hurd. Yes, I get that. And ----
    Mr. Gray. So ----
    Mr. Hurd.--you have got to--it is your responsibility, 
right, to confirm that the person that is entering that data is 
indeed the person who owns the data. And I recognize this is a 
tough job, okay? I recognize that what you have to do is 
difficult. But you still haven't explained to me--we have 
proven and we have seen with the theft of over 100,000--or the 
impact on 100,000 students that the authentication mechanism 
within FAFSA.gov and the DRT tool is lacking. And my concern is 
that everybody is doing this. And I want to know what are you 
doing. And if there is not--if you need additional authorities 
to improve authentication on FAFSA.gov, I want to hear that, 
too.
    Mr. Gray. Thank you. The authorities that I have through 
FITARA has been very adequate. In terms of what we're doing, 
this is the balance between accessibility of the tool, which at 
this point is--it is a web application where students and 
prospective borrowers are coming in to apply. The level of 
authentication for that is currently set where it is so that we 
can cast the net as broadly as we can to potential borrowers. 
The identity proofing piece comes in when we are dispersing the 
funds.
    For the DRT, the challenge--or what we're doing is--we're 
looking at doing is masking and encrypting the data so that if 
an identity thief logs in through our system, they will not see 
that data, which would not allow them to exploit this 
vulnerability.
    Mr. Hurd. Madam Chairwoman, I apologize for going over my 
time.
    Ms. Foxx. No problem.
    Without objection, I am going to recognize Mr. Duncan for a 
unanimous consent request.
    Mr. Duncan. Well, thank you very much, Madam Chair. I 
realize you are not going to be able to get to me for question 
and so I simply want to make a unanimous consent request to 
include in the record at this point an email from one of my 
constituents, a Melissa Macko, who is the financial aid 
administrator at the Tennessee College of Applied Technology 
because she has four good suggestion to help with this problem 
in her email. Thank you very much.
    Ms. Foxx. Thank you, Mr. Duncan.
    Ms. Foxx. Ms. Kelly, you are recognized for five minutes.
    Ms. Kelly. Thank you, Madam Chair.
    In recent years, hacking, identity theft, and cyber crimes 
have been on the rise. I have been the victim myself. Federal 
agencies have to do their part to secure their systems, but 
Congress must acknowledge the impact its own actions have had 
on the ability of agencies to protect their IT systems. Many 
agencies face serious challenges in modernizing outdated legacy 
IT systems and implementing stronger cybersecurity measures 
under severe budget cuts that have been imposed by Republican-
controlled Congresses.
    One of the agencies hit hardest by these cuts is the IRS. 
In May 2016, the IRS then-chief information officer Terence 
Milholland testified, and I quote, ``the IRS budget system is 
the most critical challenge facing IT modernization.''
    Mr. Corbin and Ms. Garza, what are the impacts of budget 
cuts on the ability of the IRS to modernize and secure IT 
systems? Are we putting taxpayers at greater risk?
    Mr. Corbin. So, Congresswoman, one of the things that 
Congress did do for us last year was appropriate the additional 
$290 million. We did take a portion of that funding to help us 
get the tools that Ms. Garza had described to help us identify 
and monitor our systems more closely.
    We also continue to invest in the return review program or 
RRP, and so that allows us to create rules and filters so that 
as returns come in, we're able to evaluate those returns and 
then--for potential fraud or identity theft and then stop those 
returns before they are actually paid out.
    Ms. Garza. So I want--I think it's on. I want to thank 
Congress for the money that we did receive. That was extremely 
beneficial. It allowed us to put new technologies in place that 
are actually protecting our systems at a much higher level than 
we had done in the past. In this incident itself, we were able 
to address the situation a lot quicker than we would have an 
able to in the past because of the new monitoring capability 
and the data analytics capabilities that were implemented using 
those resources.
    Ms. Kelly. And would you say more is needed or ----
    Ms. Garza. We would always be thankful for any additional 
resources and continued support in this area.
    Ms. Kelly. To make us more secure?
    Ms. Garza. Yes.
    Ms. Kelly. Okay. It is not just IT systems that have been 
affected by these resource lapses. Mr. Milholland testified 
last year that increased progress on systems modernization and 
cybersecurity measures, and I quote, ``will require significant 
sustained additional resources in the IT area. Do you agree 
with that assessment?
    Ms. Garza. I would agree with Mr. Milholland's assessment 
of our needs.
    Ms. Kelly. Mr. Corbin?
    Mr. Corbin. Yes, ma'am, I would agree as well.
    Ms. Kelly. Okay. Yet again, Congress has failed to ensure 
that agencies have the resources they need to carry out their 
missions. For instance, under the IRS Restructuring and Reform 
Act of 1998, Congress gave IRS the authority to hire a limited 
number of individuals to staff critical technical and 
professional positions at salary levels greater than general 
schedule rates. This critical pay authority was intended to 
help the agency attract highly qualified individuals with 
advanced technical expertise who might otherwise be available 
for government service at normal Federal salary levels. The IRS 
used its authority to fill 168 of these positions from 1998 to 
2013.
    Does critical pay play a role in making Federal Government 
jobs more appealing to highly qualified technical individuals 
who may be interested in public service but could be earning a 
much higher salary in the private sector?
    Ms. Garza. Congresswoman, the critical--streamlined 
critical pay authority that we've had was extremely beneficial 
to the IRS. Because of that authority, we were able to bring on 
board high-level architects, engineers, and cybersecurity 
experts. Over the last several years, they have helped us 
ensure that we were doing what was needed to secure our 
perimeter and make sure that our systems were running much 
better.
    The important component of this was the streamlined part of 
the critical pay. It allowed us to offer a job when we had--
when we found somebody after the announcement was made and we 
identified somebody much quicker than the normal process would 
have been. A lot of times what we found was without the 
streamlined component, when we got back to the individual to 
see if they were still interested, the time had elapsed so long 
that we were not able--or they were no longer available or 
willing to come to work for us. So it is a critical component.
    Ms. Kelly. But this pay authority expired in 2013 and has 
not been reauthorized, so American taxpayers lose when Congress 
ignores its responsibilities. Congress can and should swiftly 
pass streamlined critical pay reauthorization and act to 
provide adequate resource levels for cybersecurity at all 
agencies.
    Thank you. Thank you, Madam Chair.
    Ms. Foxx. Thank you, Ms. Kelly.
    Mr. Issa, you are recognized for five minutes.
    Mr. Issa. Thank you, Madam Chair. And I look forward to the 
reauthorization if we can get the reforms that were required as 
of our last couple of hearings on the use of those 168 slots.
    But let me go on to the actual data breach. Ms. Garza, 
under your interpretation of the data breach, this is a data 
breach, right? It is a major incident and it is a data breach. 
Is that correct?
    Ms. Garza. Under the definition of data breach it is 
classified as a data breach.
    Mr. Issa. Okay. So we have had a data breach. Let me turn 
it around for a moment because both you and Mr. Gray said that 
you had no--and I think Mr. Runcie all said the same thing. You 
had no information that personally identifiable information had 
specifically been compromised. That is pretty--paraphrasing all 
of you?
    Ms. Garza. That's correct.
    Mr. Issa. Okay. Well, I will go to IRS first. Ms. Garza, 
you were there for the kickoff of the Affordable Care Act 
website. And, as you know, in that website if somebody looking 
at their information at the top of the screen simply went up 
there and changed the State, they might actually look at 
somebody's personally identifiable information. That was a 
vulnerability that was discovered right in there in the HTTP 
line, right? Do you remember that?
    Ms. Garza. That was on the CMS site ----
    Mr. Issa. Right.
    Ms. Garza.--and so I don't have any detail ----
    Mr. Issa. Okay. Well ----
    Ms. Garza.--specifics on that.
    Mr. Issa.--just for historical sake, I actually did it. You 
could--and somebody did it themselves. You could simply change 
the State and you could end up with somebody else's 
identifiable information on your screen.
    Now, they would have said that there was no breach, as Mr. 
Gray is sort of saying, because there was no proof anyone took 
that information and used it. But let me ask it another way. If 
you put a team of white knight hackers onto this vulnerability, 
could you have harvested information in your estimation?
    Ms. Garza. I think the evidence is that after the fact, 
yes, we--there were people that were accessing that application 
for bad reasons.
    Mr. Issa. Okay. So, Mr. Gray, I want to get you on the 
record under oath with an accountable statement. If there is 
evidence that people did nefariously gain some information, 
whether they used it or not, and that a team of white knight 
hackers or bad people could have harvested information, don't 
you have to admit that this is by definition a data breach, not 
just a hypothetical vulnerability but a vulnerability that was 
recognized that caused the shutdown of this tool?
    Mr. Gray. Thank you for the question and the request for 
clarification. I would say that when I am speaking about a data 
breach, I am speaking about the Department of Education's 
systems, and through our analysis, there was no Department data 
that was compromised or viewed through this. This was a case of 
unlawfully obtained information that was used to go through our 
system to pull information from the DRT.
    Mr. Issa. Okay. But in this case we are talking about you 
together represent like an automobile, and you are saying that 
your right-hand wheel didn't come off but the left-hand wheel 
did or could have. Ultimately, the construction of the entire 
product was brought to a halt as a result of a failure, right?
    Mr. Gray. Yes, sir. Yes.
    Mr. Issa. Okay. And both of you--I just want to make sure 
because I heard Ms. Garza say it--but both of you admit that 
under FITARA, under the reforms, as CIOs, you have budget 
authority and the authority necessary to shut down or to make 
what changes are needed to control the security and accuracy of 
your work. Is that right?
    Mr. Gray. Yes, sir.
    Mr. Issa. Okay. So now my question to you in the short time 
remaining is, although this is about education and it is about 
the tremendous impact on students who will have a burdensome 
time applying, if we are to do the next level of reforms that 
this committee would be required to, if we have given each of 
you authority and one of you says I have got a breach and the 
other says I don't, how do we resolve--within the hierarchy of 
the executive office of the President so to speak how do we 
resolve making sure that the failure of the whole is in fact 
controlled by somebody? In other words, I am looking at the two 
of you. You gave slightly different testimony. I think you have 
come together on testimony.
    But I want to know how in the future we do two things: one, 
make sure that somebody above you, sort of a super CIO, can 
make sure that this that this--that everyone--somebody is 
looking at the entire vehicle and not just a left tire and 
right tire; and then secondly, where were those white knights 
in this process? Where were the people who scrubbed this--third 
parties who scrubbed this data and system trying to find those 
vulnerabilities? Because somebody found it and it wasn't either 
of your teams. I will take an answer from either of you in the 
time that I am allowed.
    Mr. Gray. I don't know where those white knights were, sir. 
I do know that there were other entities within the government, 
USDS specifically, that was assisting with this as well. So I 
don't know where they were.
    Mr. Issa. Okay. So as Will said earlier, before the fact, 
you don't know. After the fact, of course, you could re-create 
it.
    Ms. Garza, the two questions to you. You are very senior in 
this position. You have had a lot of experience. One, how do we 
bring together organizations like you that have become 
interdependent to make sure there is oversight of the entire 
combined authority? And two, how do we make sure there are 
white knights proactively in the future to try to find these 
things and maybe to concurrently and constantly try to find 
them?
    Ms. Garza. Congressman, we actually do have processes in 
place that--where we do penetration testing where we have 
individuals that come in and test our applications to ensure 
that they are not subject to white hackers coming in and 
getting away with the data.
    Mr. Issa. Although, white hackers I am okay with.
    Ms. Garza. White hackers, black hats ----
    Mr. Issa. Bad guys.
    Ms. Garza. So we do have that process in place and we do 
use it. I don't recall right now if that process was utilized 
on this application. It clearly should have, and perhaps we 
would have been able to avoid this.
    As far as your other question, as the IRS continues to work 
with other agencies to provide data, it becomes more and more 
important that we actually address the concern that you have 
raised. I don't have an answer for you right now, but it's 
something we need to be very thoughtful about because I think 
this is going to start happening more often.
    Mr. Issa. Thank you. Thank you, Madam Chair.
    Ms. Foxx. The gentleman's time is expired.
    In the priority of the chair, I think will be helpful to 
this committee and to the Congress as a whole to get some sense 
of what kind of priority you put on testing your systems 
because it is pretty obvious that something like this should 
have been tested and should have been aggressively tested 
anytime you are sharing data with another agency. So I hope the 
committee will follow up on that.
    Mr. Raskin, you are recognized for five minutes.
    Mr. Raskin. And Madam Chair, thank you very much.
    Mr. Runcie, there has been a documented pattern of abuse 
with the student loan companies for many years now. Lots of 
scams have taken place. In 2012, the IG reported that a student 
loan company improperly accessed student borrower accounts to 
change the contact information of the borrowers in order to, 
quote, ``make it difficult for the borrowers to be contacted by 
their loan servicers. Why would they do that? What is the scam? 
Can you explain to us how that works for them?
    Mr. Runcie. Thank you. So they're commercial entities and 
they're fee-for-service entities, so they ----
    Mr. Raskin. These are legitimate businesses then? These are 
not internet scammers or ----
    Mr. Runcie. They're not Internet scammers but the nature of 
the interaction between, you know, those entities and the 
students and borrowers, I can't characterize that. But they're 
businesses that are formed to provide commercial services, 
whether it's loan consolidation or something else.
    It seems and it appears that in cases where they want to 
have a level of control to create a transaction or to continue 
through the process, they change email addresses and 
potentially mailing addresses and so forth to facilitate the 
process that they are taking the students and borrowers 
through.
    Mr. Raskin. But how do they profit from it? They take over 
the student's account?
    Mr. Runcie. They--it's a--they may charge it--and I'm just 
going to make up a number. Let's say they charge $100 for 
consolidation or more. So there's an agreement that they will 
consolidate the loans and create a lower payment amount or 
whatever the agreement is, and they would be paid for that.
    Mr. Raskin. So did this actually take place? I mean, in one 
example the IG reported in 2013 that a company charged 
borrowers a monthly fee--I think it was $60--in order to put 
their loans into forbearance with the promise of enrolling them 
in the Public Service Loan Forgiveness program eventually, 
which they weren't qualified for. But did that actually happen 
with people?
    Mr. Runcie. My understanding is that it--there are these 
companies that provide these services, and a part of that 
process sometimes is they put people into forbearance with the 
understanding that they're ultimately going to go into 
consolidation. So those are third-party entities involved in a 
transaction that doesn't include the Department, you know, 
except for the fact that they're using the email addresses and 
the resources that we have to facilitate transactions where 
they make money. As ----
    Mr. Raskin. So just to get you straight there, they are 
using your website essentially as the framework to access their 
victims. Then, they prey on the people. But as far as you know, 
they might still be in this scam relationship with the 
students?
    Mr. Runcie. Yes. We've looked at IP addresses and we've 
looked at some of the activity, and in some cases you will 
actually see loan consolidations. Whether it's 10 percent or 
100 percent of their clients, we don't know. What we've 
stressed is user education to make sure people are aware that 
they can get these services done for free by leveraging 
resources that the Department provides.
    Mr. Raskin. Well, I get complaints on a daily basis pretty 
much from my constituents who feel like the whole system is a 
scam, but you are talking about a scam on top of a scam in a 
way. You are talking about people who are in serious debt from 
college and then some of these kind of low-riding companies are 
able to access them--charge them more money to offer them 
either real or completely illusory services, right?
    Mr. Runcie. That's right.
    Mr. Raskin. Okay. Who is the ombudsman and champion of 
America's students and college graduates who is looking out for 
the scams in the IRS, the Department of Education, at every 
level of government? Is there anybody?
    Mr. Runcie. I think we play a role. The Department plays a 
role. So, you know, for instance, I mentioned user education. 
The IG has noticed that this is an issue, and we're doing some 
things with our systems to make sure that we give them an 
additional tool or lever that they can use to prosecute, you 
know, bad entities. So, you know, we play a role in that and --
--
    Mr. Raskin. How many prosecutions have there been since 
this was revealed?
    Mr. Runcie. I don't have that information.
    Mr. Raskin. Have there been any prosecutions?
    Mr. Runcie. I--the--we don't prosecute. It would have to be 
through the IG or some other ----
    Mr. Raskin. And let me just say I know everybody up there 
is working hard for the American people and has a tough job, 
but the overall institutional sense that I get is one of basic 
passivity and reactivity to events rather than getting on top 
of it. We have got millions of people who are carrying these 
loans. I think there is more student debt in America than there 
is credit card debt now. It is more than $1 trillion. And 
obviously, there is a lot of money being made there, including 
by people who are going out and preying on people who are 
already laboring under the burden of these loans who--do we 
need to create an ombudsperson, somebody who is just a champion 
of the students and the graduates to make sure that they are 
not getting ripped off at every step of the process?
    Mr. Runcie. Yes, I mean, we have an ombudsman, but it's 
not--it's sort of a pervasive all-inclusive person that sort of 
challenge--you know, challenges resources across government, 
across, you know, IGs, across operations. So, you know, that is 
potentially something that can be useful, but ----
    Mr. Raskin. Where is that ombudsperson located? Is that --
--
    Mr. Runcie. The ombudsman is located within FSA. They deal 
with complaints and issues that we can resolve. There are 
operational issues, so the customer service issues. They could 
be, you know, school-related issues. But in terms of ----
    Mr. Raskin. Did that person ever raise any of these issues 
with you about the scams being perpetrated on students through 
the website?
    Mr. Runcie. No. Those scams are done by third-party 
entities that are outside of our scope. And so ----
    Mr. Raskin. So basically, it was nobody's responsibility to 
try to identify that threat? Is that right? I mean, that is not 
a gotcha question. I am just trying to figure out ----
    Mr. Runcie. No, no ----
    Mr. Raskin.--to prevent this from happening again because, 
you know, there were cases of this going back four or five 
years now.
    Mr. Runcie. Yes. The--again, the commercial entities that 
are marketing to students to provide services to those students 
and the students agree to, you know, obtain those services, and 
the questionable nature and value of those services is not 
something that we police. What we've been trying to do was 
provide user education and let people know that, you know, they 
don't need to use these resources. And we've--you know, working 
with partner organizations and so forth, but we don't have any 
control over those entities.
    Mr. Raskin. Thank you very much for your answers, and I 
yield back, Madam Chair.
    Ms. Foxx. Thank you, Mr. Raskin.
    Mr. Hice, you are recognized for five minutes.
    Mr. Hice. Thank you, Madam Chair.
    Mr. Corbin, do you have any idea how much the IRS loses to 
fraudulent tax returns each year?
    Mr. Corbin. No, Congressman. I can bring that back for you 
or go back and get that information for you.
    Mr. Hice. Please do. But would it surprise you that in 2013 
alone it was over $5 billion? Does that come as a surprise to 
you?
    Mr. Corbin. It does not come as a surprise, Congressman.
    Mr. Hice. Okay. So it is no surprise that over $5 billion--
let's just say that is the average year, $5 billion a year plus 
or minus in fraudulent returns--and now, as you--as has been 
clearly established, ballpark 100,000 taxpayers put at risk as 
thieves breach the DRT or--do you have any idea how many 
fraudulent returns resulted from those 100,000 taxpayers?
    Mr. Corbin. So, Congressman, what I know is that of the-- 
we have received about 111,000 returns filed under those Social 
Security numbers. Of those returns, 80 percent of them were 
either stopped by our filters prior to their refunds being paid 
or they were the actual legitimate taxpayer.
    Mr. Hice. Well, that is good information, but that was not 
my question. I want to know how many fraudulent tax returns 
came from those 100,000.
    Mr. Corbin. Yes, sir. We have confirmed about 29,000 
returns as identity theft.
    Mr. Hice. Okay. And how many of those were fraudulent is my 
question. Commissioner Koskinen said it was about 8,000.
    Mr. Corbin. Yes, well, there are--so, Congressman, there 
are 8,000 returns that were not stopped by our filters that we 
have not been able to determine ----
    Mr. Hice. That were fraudulent?
    Mr. Corbin. That we have not been able to determine if they 
were fraudulent or the legitimate taxpayer.
    Mr. Hice. Okay. Well, that was my question. I would 
appreciate it if you would answer the question rather than run 
around it.
    Mr. Corbin. Yes, sir.
    Mr. Hice. Do you have any idea how much money was lost due 
to those 8,000 fraudulent returns?
    Mr. Corbin. I believe that is about $32 million, sir.
    Mr. Hice. It is about $30 million. Does the IRS reimburse 
the fraudulent tax returns from those who were victims?
    Mr. Corbin. So when a true taxpayer comes in and files a 
return, they do get their full refund that they're entitled to.
    Mr. Hice. Okay. And who pays for that?
    Mr. Corbin. That comes out of the Treasury, sir.
    Mr. Hice. So the taxpayers pay for it?
    Mr. Corbin. Yes, sir.
    Mr. Hice. So we had $32 million just out of this 100,000 
people, 8,000 fraudulent returns. So is that $30 million, does 
it include the reimbursement from the victims?
    Mr. Corbin. No, sir, it does not.
    Mr. Hice. All right. So we are talking 60, $65 million in 
this one incident. We are talking if we have $5 billion a year 
in fraudulent returns, we are probably talking $10 billion that 
it costs the taxpayers every year after the victims are paid 
back. Does that ----
    Mr. Corbin. So of the 32, Congressman, again, we have not 
confirmed whether that is a fraudulent return or the true 
taxpayer.
    Mr. Hice. Okay. I am just going by what Commissioner 
Koskinen said, and I would think that he would be accurate in 
that information.
    Ms. Garza, I am still scratching my head over your comments 
earlier, that as far as you are concerned, you didn't know of 
any breach whatsoever, and yet it is pretty well confirmed 
there was a breach here and you even came back around and 
admitted that a little while ago.
    Ms. Garza. It depends on the timing, sir. In September we 
----
    Mr. Hice. It depends on whether or not anyone broke into 
the system. That is what determines a breach. And it just--I 
tell you, I just struggle. It appears to me at the end of the 
day--you are either in denial of what happened or you are 
incompetent or you are just untruthful in what is happening 
here. And I go back with what has been shared, too. The abuse 
that has been inflicted on American citizens by the IRS is 
inexcusable and it is time that there is accountability and 
some change that takes place at the IRS. This is just--it is so 
bothersome it is indescribable.
    Mr. Gray, let me come to you. It is my understanding that 
the Department may have the data retrieval tool operation for 
the purposes of income-based repayment plans back up in May or 
June. Is that correct?
    Mr. Gray. That is my understanding, sir.
    Mr. Hice. Okay. That being said, if it is going--this has 
taken more or less three months to fix it, correct?
    Mr. Gray. Yes, sir.
    Mr. Hice. Okay. If it has taken three months, why in the 
world was this not addressed last fall?
    Mr. Gray. Unfortunately, I can't answer that question 
because I am not involved ----
    Mr. Hice. Who can answer that question?
    Mr. Gray. Mr. Runcie.
    Mr. Runcie. It wasn't addressed--I think it's what we'd 
said a little bit before, which was we were making a decision 
at the time based upon the fact that there wasn't any 
criminal--material criminal activity. What the commissioner 
said was we would continue to monitor the situation, and once 
there was confirmed criminal activity, we would take the system 
down. So that was the focus of it, and then March 3 when there 
was--when we were contacted, the system was taken down.
    Mr. Hice. The commissioner said that identity thieves used 
it to put forth false tax returns and made it clear that there 
was criminal activity, and that because of such, the system was 
going to have to be shut down. It looks like we are talking out 
of both sides of our mouth.
    Madam Chair, I thank you for indulging me extra time. I 
yield back.
    Ms. Foxx. Thank you very much, Mr. Hice.
    Mr. Clay, you are recognized for five minutes.
    Mr. Clay. Thank you, Madam Chair.
    And I find it deeply concerning that the Trump 
administration has started rolling back the protections that 
help ensure that students are not taken advantage of by 
predatory loan companies.
    Mr. Runcie, Secretary of Education DeVos recently rolled 
back a critical protection put in place during the Obama 
administration. This protection prohibited loan servicers from 
charging up to 16 percent in interest on overdue student loans 
if borrowers entered a loan rehabilitation program within 60 
days of default. Mr. Runcie, why did she rescind that 
protective order?
    Mr. Runcie. I'm not aware--there was a policy memo that was 
rescinded. Is that what you're referring to, Representative 
Clay?
    Mr. Clay. Yes.
    Mr. Runcie. Yes? So we--again, we're in the process of 
going through a competition for servicers, and the focus of 
that competition is to make sure that we have the best contract 
in place that's focused on high quality outcomes for students 
and borrowers. So that's what we're focused on. There hasn't 
been anything communicated from the Secretary that would change 
our ability to go forward and to make sure that there's a 
vehicle in place to make sure that we optimize outcomes for 
students and borrowers.
    Mr. Clay. Now, doesn't that action place the financial 
interest of the loan companies over the interest of our 
students?
    Mr. Runcie. That's not what we're doing, and that's not 
what's been communicated to us.
    Mr. Clay. Well, now, does it signal the loan companies that 
they can return to the predatory practices they engaged in 
before that take advantage of students? I mean, look, you and I 
know that people struggle to pay these student loans, so they 
came up with a way to give them some kind of relief, and now we 
are going to throw that out?
    Mr. Runcie. No, I--look, I share your focus on making sure 
that we have the best circumstances for borrowers and students 
and, you know, if you look at income-driven repayment plans, 
which is a tool that was put in place to make it easier for 
students to manage their obligations and their debt, that has 
risen substantially. Our servicers and the Department is 
focused on making sure people get into plans that allow them to 
maintain ----
    Mr. Clay. Okay.
    Mr. Runcie.--and manage their debt.
    Mr. Clay. Okay. Let's talk about those plans. Just last 
month, the Secretary withdrew another critical consumer 
protection afforded to student borrowers. Under the Secretary's 
order, contracts for debt collection will no longer be based on 
a loan company's history of helping borrowers but can again be 
based on a company's ability to collect debt. Can you explain 
why this change was made?
    Mr. Runcie. Actually, the evaluation--and again, we're in 
procurement mode so there are certain things I can't talk 
about--but the actual evaluation does include looking at past 
performance and responsibility, as well as operational 
performance. So it is--the process is more than just looking at 
the ability to recover.
    Mr. Clay. Yes, but doesn't that go back to allowing these 
companies to pray on borrowers, I mean, and make that the 
standard operating procedure, that at all costs collect the 
debt?
    Mr. Runcie. I can't speculate on that, sir.
    Mr. Clay. And, look, there have been troubling reports 
recently that the Department is reversing previous 
determinations that student loan borrowers qualified for a loan 
forgiveness program to encourage public service. Borrowers may 
have relied for years on these determinations to plan their 
educations, their careers, and their lives, and this program 
started in 2007. Under this program, borrowers can have the 
remainder of their Federal student loans forgiven after making 
10 years' worth of payments if they serve full-time in public 
service jobs. Is that what is going on?
    Mr. Runcie. Yes, I'm aware of the issue, and my 
understanding is that there is potentially some litigation 
around that. But, you know, the Public Service Loan Forgiveness 
is a vehicle that's out there. If you make payments for 10 
years on time, you could be forgiven the remainder of that. 
That program is in place and we operationalize it.
    Mr. Clay. And are you intending on changing it?
    Mr. Runcie. I'm not aware that there's any intention to 
change it. You know, that's an overall departmental 
perspective.
    Mr. Clay. It all comes down to let's scam these students, 
let's scam these borrowers, and let's take care of the 
servicers. And I think you should be ashamed of yourselves.
    Mr. Runcie. Well, what I can say is that--and I can say 
this personally--is that there is a dedicated staff at the 
Department that's been there for quite some time, and our focus 
is not to facilitate or aid and abet any situation that 
compromises students and borrowers. We're committed to making 
sure they have the resources to be successful. We know it's 
difficult. It's a huge portfolio. But my intention is the same 
as your intention, which is to make sure that we don't have a 
structure that compromises any ----
    Mr. Clay. God help the borrowers.
    Ms. Foxx. The gentleman's time is expired.
    The ranking member is recognized for a unanimous consent 
request.
    Mr. Cummings. Thank you very much, Madam Chair. I want to 
just submit for the record a letter dated May 1, 2017, to the 
Honorable Kathleen Tighe just requesting certain documents with 
regard to this hearing.
    Ms. Foxx. Without objection.
    Ms. Foxx. The chair will recognize herself for five 
minutes.
    I have to say that I agree with my colleague from Georgia 
who was here a few minutes ago that this situation of none of 
you all or people in your agency has been willing to take 
responsibility for what has happened. Either you are in denial 
or incompetent. I think the American people watching this are 
feeling the same way. I am troubled by my colleagues wanting to 
distract from the incompetence of the FSA and the IRS on 
display here today.
    I want us to go after any bad actors outside the system, 
but our number one priority is to protect the American people. 
And everybody who works in this country is affected by the IRS. 
So, yes, we want to protect students from any unsavory 
characters, but all Americans are affected by the IRS if they 
file their taxes, and most of them do. Thank goodness we have a 
system where most people voluntarily do what they are supposed 
to do.
    So the problem we have with our government agencies is 
there is no accountability for any of you individually, and 
that is a shame, a real shame on this country, that you all can 
ignore the continued incompetence and not be held responsible.
    I do have some questions. The Department has taken some 
steps, Mr. Gray, Mr. Runcie, to mitigate the burdens on 
students' families and institutions caused by the DRT 
suspension, but I am concerned about the potential fraud the 
flexibilities you have put in place may cause. How is the 
Department protecting against fraudulent income reporting or 
ensuring that no new doorways to fraud are opened in this 
process? And I would like specifics, please.
    Mr. Runcie. Well, in terms of--and thank you, Chairman 
Foxx--Chairwoman Foxx. In terms of specifics, you know, as you 
know, the verification--the backend verification is something 
that we've used along with, you know, the schools. So we do 
regression analysis and we come up with a formula that 
indicates a level of risk.
    And so what we've done in terms of giving flexibility is we 
would reduce the lowest-risk element based upon a regression 
analysis so that even if we lessen the verification burden, it 
would be on a risk-mitigated basis. So we would only eliminate 
the lowest-risk applicants potentially.
    So the other part is that we're going to do this for a 
limited period of time, right, because we're going to get the 
tool back up October 1. And so for all the FAFSA cycles going 
forward, that won't be an issue. So it's somewhat of a 
temporary way to address the--to balance the burden to the 
schools against the risk to taxpayers.
    Ms. Foxx. Mr. Gray, do you have anything to add to that?
    Mr. Gray. I would--yes, ma'am. I would say that there are 
also technical controls that we are looking at putting in 
place, and I would be happy to give more in-depth details about 
those controls specifically, but I would not want to reveal 
sensitive information right here.
    Ms. Foxx. I understand.
    So, Mr. Runcie, you touched on this a minute ago, that you 
are trying to get the system back up for the 2018 FAFSA filing 
period. Recognizing the balance between security and access, 
can you make the commitment to ensure there is no opportunity 
for the DRT to be misused again when it is once again 
operational? And I want to ask each one of you answer that 
question yes or no. Mr. Runcie?
    Mr. Runcie. Yes, because the ----
    Ms. Foxx. That is all I need to know.
    Mr. Runcie. Okay. Yes.
    Ms. Foxx. Mr. Gray?
    Mr. Gray. Yes, ma'am.
    Ms. Foxx. Ms. Garza?
    Ms. Garza. I'm unsure.
    Ms. Foxx. You are not sure?
    Mr. Corbin?
    Mr. Corbin. I'm also unsure.
    Ms. Foxx. Mr. Camus?
    Mr. Camus. We will be watching closely.
    Ms. Foxx. I think you have given the American people great 
confidence today from the IRS when you tell us you cannot 
secure the systems.
    Mr. Runcie, I want to come back to you. I have been hearing 
troubling reports regarding the collection of defaulted student 
loans, and we have been hearing a lot about that in here this 
morning. Currently, struggling borrowers in default are without 
the critical services needed to rehabilitate their loans or 
access other benefits designed to lessen the impact of default. 
This is the responsibility of the Department. Can I get a 
commitment from you and the Department to provide my staff with 
critical information needed to assess the current loan default 
situation?
    Mr. Runcie. Absolutely.
    Ms. Foxx. And when?
    Mr. Runcie. Two weeks.
    Ms. Foxx. And when? Can we get--when will we know what the 
critical information is? When will you get that to us?
    Mr. Runcie. So we can define what the critical information 
is within two weeks, and we could get you the information 
within a month because--so we'll have that to you within a 
month.
    Ms. Foxx. Thank you for telling us that. We will hold you 
to it.
    Mr. Runcie. Thank you.
    Ms. Foxx. Mr. Connolly, you are recognized for five 
minutes.
    Mr. Connolly. I thank the chair.
    I just want to say the breach at the Department of 
Education is something we have been warning about on this 
committee for quite some time. The Department of Education 
holds data on 139 million individuals. And I would echo what 
our colleague from Ohio, Mr. Jordan, said that the Department 
of Education may very well be in breach of law, and we are 
going to explore that.
    However, what--Mr. Scott? I was just going to yield to Mr. 
Scott. Is he--all right. Sorry. Then I will pursue.
    Mr. Gray, are you familiar with FISMA?
    Mr. Gray. Yes, sir, I am.
    Mr. Connolly. And what does FISMA require you to do, the 
Department of Education?
    Mr. Gray. To protect our information assets for the 
Department.
    Mr. Connolly. Well, that is not all it does. Doesn't it 
have a reporting requirement with respect to the legislative 
branch?
    Mr. Gray. Yes, sir, it does.
    Mr. Connolly. And what is that reporting requirement?
    Mr. Gray. Within seven days of an incident to report ----
    Mr. Connolly. And did the Department of Education comply 
with that seven-day reporting requirement?
    Mr. Gray. Sir, through our analysis of nearly 89,000 Social 
Security numbers, we did not identify that Department data was 
compromised in this situation. This was a situation where 
unlawfully obtained information was used to go through our 
system to access information through the DRT, which is why we 
did report it to US-CERT, and when it was identified that the 
compromise was through the DRT, we--that is when we did not 
report this as a major incident because our information--the 
information that the Department holds was not compromised.
    Mr. Connolly. And is that still your position?
    Mr. Gray. Yes, sir.
    Mr. Connolly. So from your point of view FISMA has not been 
triggered?
    Mr. Gray. A major breach of Department information was not 
compromised.
    Mr. Connolly. Is that the language of the law, that a major 
breach has to be compromised? That is to say a major breach has 
to lead to the compromise of data?
    Mr. Gray. No, sir. The--when the IRS reported this and we 
were notified on March 3, it was identified as an--the--an IRS 
system. It was not a Department of Education system. We did a 
thorough analysis of all of our system through FAFSA and 
nothing indicated to my knowledge that any of our information 
was compromised.
    Mr. Connolly. Mr. Camus, is that your view?
    Mr. Camus. We have yet to determine the timeliness of the 
reporting of the incident, sir.
    Mr. Connolly. No, that is not my question. My question is 
do you concur with Mr. Gray that there was no breach of data?
    Mr. Camus. We ----
    Mr. Connolly. Compromise of data?
    Mr. Camus. We would view it as once somebody was able to 
see somebody else's data, that that in fact has been a breach.
    Mr. Connolly. I would, too, and therefore, I would argue 
FISMA is triggered. Would you agree?
    Mr. Camus. Yes, sir.
    Mr. Connolly. Well, Mr. Gray, it sure does sound like you 
are splitting hairs and you are coming up with a criterion that 
was not envisioned in the law itself, nor was it reflected in 
the language of the law itself. I mean, we don't have traffic 
laws that allow you to decide, well, I didn't hurt anyone. Yes, 
I was speeding, but I didn't hurt anyone, so therefore, I 
shouldn't get a ticket. I mean, the law is there to make sure 
that the legislative branch is informed in a timely fashion 
when this kind of activity occurs. And the reason isn't so that 
we are keeping score. It is to make sure that we are doing what 
we can on our part to protect sensitive data of American 
citizens.
    And it seems to me that it was incumbent upon the 
Department of Education to inform us in a timely fashion. In 
fact, I would even argue if I were managing the Department of 
Education, you know, the better part of wisdom would dictate 
that I inform them even if I didn't believe FISMA was 
triggered.
    But the fact that months could go by and, as Mr. Camus just 
said, a breach is a breach. Once it is breached, you have to 
assume that data is compromised, if not today, tomorrow, 
because it can be. And I just don't find your explanation very 
credible, and I frankly think it is a disservice to, you know, 
the people whose data you possess. And it is an end around with 
respect to the legislative branch, and I think it is in 
violation of the law.
    I know we are going to pursue that more, but I don't think 
that is something that puts the Department of Education in any 
kind of good light.
    My time is up. And I am sorry I missed Mr. Scott. I was 
going to defer to him. I thought I was being asked to.
    Thank you, Madam Chairman.
    Ms. Foxx. Thank you, Mr. Connolly, and thank you for honing 
in on the issue of the day and looking for what remedies we 
might have under the law.
    Mr. Meadows, you are recognized.
    Mr. Meadows. Thank you, Madam Chairman.
    We are going to follow up, Mr. Gray, right now, because I 
can tell you that Mr. Connolly is spot on. And this is not your 
first rodeo. You know, we have had these other issues before 
with regards to privacy. And is it your sworn testimony today 
that this did not actually require notification of Congress?
    Mr. Gray. No, sir. My understanding is that the IRS had 
reported the incident and that it was a breach, but the 
Department of Education, my understanding when I was notified 
on March 3 that the notification had already happened. I have 
learned in this hearing that it did not happen.
    Mr. Meadows. Well, how can the American people, actually 
people who share private information with you who expect it to 
be protected have confidence when you are here today and you 
don't even know the full story, that you are finding it out in 
a hearing when you knew that we were going to be looking at 
this?
    How can you find a hacker who truly wants to come in and do 
harm and you can't even be prepared for sworn testimony today 
on questions that I presume that you knew we were going to ask?
    Mr. Gray. I understand, sir. The challenge ----
    Mr. Meadows. Where is the outrage? Where is the outrage, 
Mr. Gray? Are you not outraged?
    Mr. Gray. I absolutely am. Our ----
    Mr. Meadows. Why didn't you notify Congress?
    Mr. Gray. My understanding was this was not a Department of 
Education ----
    Mr. Meadows. Well, you realize that was not--did you have 
your counsel that said you don't have to notify us? Who did you 
check with who said you don't need to notify Congress?
    Mr. Gray. We went through our incident response process, 
who did an assessment ----
    Mr. Meadows. So why did you refer something to an outside 
agency before you notified your own IG within your Department?
    Mr. Gray. Our IG was notified right after we ----
    Mr. Meadows. Well, but according to my documents, you 
actually notified US-CERT first, according to your testimony. 
Why would you do that and wait to get the IG involved?
    Mr. Gray. Because when we notify US-CERT, it's to let them 
know that we were investigating something that had occurred. At 
that time, we weren't sure what had happened.
    Mr. Meadows. Okay. So the IG, you go, you notify the IG. It 
was important enough to notify the IG but it was not important 
enough to notify Congress?
    Mr. Gray. Hindsight, sir, yes, it was important enough to 
notify Congress.
    Mr. Meadows. Well, at what point are we going to get this 
right? Because we continue to have breaches. Mr. Connolly and I 
have had a number of hearings where we have raised this as a 
concern, and yet what happens is is we are always coming in 
after the fact to look at this. Do you not see a problem with 
that?
    Mr. Gray. I do see a problem with that.
    Mr. Meadows. Well, when are we going to get it fixed?
    Mr. Gray. Sir, we receive on average more than 1.5 million 
intrusion attempts every single month at the Department, and 
what my team does is we assessed to determine whether or not 
something had happened, nothing happened, and logistically--I 
mean, I know in this case it's easy to look and say, okay, this 
should have been reported. I understand that.
    Mr. Meadows. So you're saying it's a matter of logistics on 
why you didn't report it? Because that's different than what 
you said earlier. Earlier, you said you didn't think you had to 
report it.
    Mr. Gray. Based on the analysis that my team did, we--our 
information, the information that I am--that our ----
    Mr. Meadows. So how confident are you that there was only 
89,000 people that were affected?
    Mr. Gray. Based on the logged analysis that was done at the 
Department, very confident.
    Mr. Meadows. All right. A 10?
    Mr. Gray. Yes, sir.
    Mr. Meadows. So if we find out there is more than that, are 
you willing to resign?
    Mr. Gray. If it's--if I don't know the information, no, 
sir. I mean, from what I have ----
    Mr. Meadows. Well, you said you are confident at a level of 
10, so I guess I would stake my reputation on that if you were 
confident at a 10. So if there is more than that-- because the 
IRS knows that sometimes we find out that there is actually 
more people that were affected than was originally thought. So 
if you are confident at a 10, are you willing to stake your 
reputation and your job on it?
    Mr. Gray. So, sir, the challenge here is that when we ----
    Mr. Meadows. Sir, I am representing people back home in 
North Carolina, as every member here is, and you know what, 
they fail to realize that you can't protect sensitive 
information that they give you, and they don't understand that. 
I don't understand it. At what point are we going to have the 
confidence when people share their information with the 
government that it is not subject to being shared with another 
party? Isn't that what your job is all about as CIO?
    Mr. Gray. Yes, sir.
    Mr. Meadows. All right. The next time, are you going to 
inform Congress when there may be a doubt? Will you inform us 
within the seven days?
    Mr. Gray. Absolutely.
    Mr. Meadows. All right.
    Ms. Garza, last question to you. Why didn't you inform us?
    Ms. Garza. Congressman, we briefed the staff shortly after 
we brought down ----
    Mr. Meadows. You didn't brief our staff. Why didn't you 
inform Congress? That is the question of the day. Because 
according to your TIGTA, it is 100,000, so it is certainly--
even meet the threshold, but why wouldn't you inform us?
    Ms. Garza. So, Congressman, we did inform the Congress that 
this was a data breach. The reason why it took as long as it 
did is because we were going through analyzing the information. 
The initial population was much smaller than 100,000 that we 
thought were impacted. We also needed to coordinate with the 
Department of Education to determine whether ----
    Mr. Meadows. But didn't you find it just based on dumb 
luck? It was actually just one of your IRS employees that 
actually got a transcript request and they said, hey, something 
doesn't smell right here?
    Ms. Garza. Congressman, we have multiple layers of ----
    Mr. Meadows. That is not the question. Wasn't it dumb luck 
that you happened to find this?
    Ms. Garza. No.
    Mr. Meadows. So it wasn't an IRS employee that happened to 
get a transcript? Be careful; you are under sworn testimony 
here.
    Ms. Garza. The--it was an IRS employee. He received a 
notification as part of one of our defense mechanisms that his 
account had been accessed.
    Mr. Meadows. So it was an IRS employee who happened to have 
his stuff that was notified and we said, hold on, we got a 
problem here? Do you not see that that is almost laughable?
    Ms. Garza. One of our mechanisms to determine whether 
something has gone wrong is a notification to the taxpayer. Our 
systems automatically send out a notification ----
    Mr. Meadows. So you purposely embed IRS employees in all 
this so that they might get a personal notification so they can 
highlight this? Come on.
    I will yield back.
    Ms. Foxx. The gentleman's time has expired.
    Mr. Sarbanes, you are recognized for five minutes.
    Mr. Sarbanes. Thank you, Madam Chair. I thank the panel.
    Ten years ago, I was proud to lead the effort here in the 
House and we teamed up with Senator Kennedy on the Senate side 
to create the Public Service Loan Forgiveness program. And we 
have paid close attention to that over the last 10 years, 
working with U.S. Department of Education along the way, to 
create online resources to help borrowers understand whether 
they are going to qualify for this program, which includes 
reduced monthly payments, as well as ultimate forgiveness of 
their outstanding principal if they commit 10 years to public 
service.
    That includes the need to be assured that the employment 
you have, the particular employer that you are working for, 
qualifies under that public service category and that you can 
count the time spent with that employer towards your 10 years 
and ultimately earn the forgiveness.
    Congressman Clay alluded a moment to go to the fact that 
there is some troubling position that the U.S. Department of 
Education has been taking over the last 18 months with respect 
to certain categories of employers. They are now telling 
borrowers who relied on an assurance that that employer would 
qualify, being told now that it won't, and there is some 
litigation around that, Mr. Runcie, as you indicated. And we 
need to get to the bottom of that because our borrowers that 
have relied on assurances that have come from the Department 
and they need to be able to count on that. Otherwise, the rug 
is being pulled out from under them.
    I know that some of us here have been trying to get a 
briefing from the Department over the last few weeks. That has 
not yet happened. Could you commit to us today that the 
Department would be willing to brief us on this issue and what 
is happening with that?
    Mr. Runcie. So I--it's not just FSA. I mean, we obviously 
operationalize it and we put the resources out there so people 
can avail themselves of Public Service Loan Forgiveness. But I 
think that briefing would include other entities such as ODC 
and policy, some other folks. I can't ----
    Mr. Sarbanes. Well, that is fine. Can you help us arrange 
to get that briefing done and get it done quickly so we know 
what is happening with this and then we can take appropriate 
steps in our oversight capacity?
    Mr. Runcie. Absolutely. It is an important issue, and I 
think we're real focused on it, so I will absolutely commit to 
working, you know, with my colleagues to ----
    Mr. Sarbanes. Now, let me stay focused on the Public 
Service Loan Forgiveness piece and loan-driven repayment, 
because when you talk about the universe of borrowers out there 
that are impacted by the breach that we are talking about 
today, using this data retrieval tool, you have the part of 
that universe that are folks that are, you know, involved with 
standard repayment, and then you have those who are in a loan-
driven repayment situation based on one program or the other. 
That includes Public Service Loan Forgiveness. And they have to 
be handled differently because they are impacted differently.
    And you have indicated that with respect to the standard 
repayment world that you are going to try to get this tool back 
in service by the beginning of the next year, so October is the 
goal. But with respect to loan-driven repayment, you are trying 
to get that back up by May.
    So can you tell us how confident you are that--I mean, it 
is May now. I mean, how confident are you that that is going to 
be available to folks that are benefiting from loan-driven 
repayment arrangements? Is that going to happen?
    Mr. Runcie. Yes, we are very confident. You know, as the 
IRS mentioned, they've completed the encryption part, and we 
have a timeline that gets us to a place where it's up and 
running by the end of this month. So we know it's only another 
few weeks but we can commit to that.
    Mr. Sarbanes. I appreciate that. Could you also let me 
know--I know one of the remedies or sort of stopgap remedies 
when someone is in a situation perhaps not being able to access 
a tool that allows them to do things in a timely fashion is 
forbearance for, you know, two months, three months, what have 
you. That can work okay for the standard repayment folks 
because there is really no downside to losing a couple months 
in terms of your repayment.
    But if time is of the essence in the sense that you are 
accruing time towards this 10-year repayment period, then 
forbearance isn't necessarily going to be a great solution for 
people that are in the loan-driven repayment category. Is that 
something that the Department has considered, and is there a 
way to provide a remedy there that doesn't complicate the lives 
of these folks that are in a particular program like that?
    Mr. Runcie. Yes. I'll make sure that we are--I know we're 
considering a lot of different issues around it, and I believe 
that's one, but we'll certainly make sure that we're focused on 
that because I do understand the issue around that.
    Mr. Sarbanes. Okay. I yield back.
    Mr. Runcie. I wanted to add one thing, and we're pretty 
firm on the end of May unless potentially some requirements 
change, but I think we're committed to the end of May for the 
tool being back up for the income-driven repayment plans.
    Ms. Foxx. Well, thank you, Mr. Sarbanes.
    Thank you, Mr. Runcie.
    Mr. Mitchell, you are recognized.
    Mr. Mitchell. Thank you, Madam Chair.
    I join your dismay that rather than discuss the data 
breach, the impact it has on the ability of students to get 
assistance, how we deal with the data breach going forward, 
avoided that some wish to talk about issues that we are now 
going to investigate as well, which is potential bad actors to 
obfuscate with the current issue is, which is the IRS and the 
Department of Ed's inability to have this tool work and not 
have it breached but rather talk about other issues.
    We only have so much time here. We only have so many things 
we do simultaneously. Let's talk about the issue we put on the 
table. So I am dismayed, and I guess I shouldn't be surprised.
    Mr. Connolly, you have--I am sorry, Mr. Gray. You have seen 
the Wizard of Oz, right?
    Mr. Gray. Yes, sir.
    Mr. Mitchell. Did you see the part where they talk with the 
scarecrow and they ask him which way the yellow brick road is? 
Do you remember that part?
    Mr. Gray. Yes, Representative.
    Mr. Mitchell. And the scarecrow goes like this? Do you 
remember that part?
    Mr. Gray. Yes, sir.
    Mr. Mitchell. In my opinion, frankly, sir, that is exactly 
what you are doing when you talk about, well, the data breach 
happened at the IRS and we didn't think it was us so we didn't 
need to worry about notification. You know, when you have got 
something as sensitive as personal information for the number 
of students that you have, the moment in time that you think 
your data has been breached, you have a legal if not moral--
moral if not legal responsibility to notify Congress. That is a 
lot of information. And it wasn't done.
    And it is not the first time it wasn't done. And I don't 
understand that. And I don't know how it is we get across to 
the Department that that is your responsibility by law if not 
morally. What does it take to get someone to understand that 
over there? Can you explain that to me?
    Mr. Gray. I have committed that going--that I will do that, 
sir.
    Mr. Mitchell. I ran a private career school group that had 
6,000 students a year, close to 7,000 students a year for six-
and-a-half years as a CEO. Ms. Garza, do you know what-- the 
CIO reported to me for a reason. Do you know the deal I had 
with the CIO if we got hacked? And we didn't have as many hack 
attempts is the Department of Ed, I will just be honest about 
it. Do you know what the deal was? Do you want to guess what 
the deal was if we got hacked?
    Ms. Garza. You held the CIO accountable.
    Mr. Mitchell. The CIO's resignation was on my desk. That is 
how sensitive that information was. And I am serious. I am 
absolutely serious. I will give you his phone number. You can 
call him. His resignation was on my desk. His cell phone got 
buzzed any time there were certain sets of activities, whatever 
hour of the night.
    Now, who on your staff gets called in the middle of the 
night or gets a buzz if in fact data goes out of whack? 
Anybody?
    Ms. Garza. The CISO is the first one that gets a call, and 
then depending on the type of breach, she will call me.
    Mr. Mitchell. Let me change the subject for moment here 
because time is limited. I have heard repeatedly budget 
concerns, budget concerns. I come from the private sector, and 
I am absolutely amazed. The first time a problem comes up, 
everyone wants to whip out the taxpayers' checkbook because, 
hey, just spend more money. From the world I come from, we 
first identify the problem and what it takes to solve it and 
not just throw money at it.
    So answer a question for me, Ms. Garza. And by the way, I 
mean, we all know how many people have had their data hacked, 
false tax returns. I had it happen to me. My youngest son is 
dealing with it right now this year. How much money do you need 
to tell this group, to tell Congress that you can secure this 
system? Exactly how much do you need in your budget that you 
will put your letter of resignation there if you get hacked? 
How much money?
    Ms. Garza. I don't know how much money it would take.
    Mr. Mitchell. But you ask for more money all the time.
    Ms. Garza. We ask for additional resources to continue to 
fortify ----
    Mr. Mitchell. Every year.
    Ms. Garza.--our systems.
    Mr. Mitchell. Every year.
    Ms. Garza. That's correct.
    Mr. Mitchell. I asked you a question. How much money do you 
need in your budget for data protection that you will put that 
budget request in and simultaneously you will tender your 
resignation that if you get hacked, you go home?
    Ms. Garza. I don't have that dollar amount in my mind. What 
I do know is that criminal enterprises are constantly changing 
----
    Mr. Mitchell. Oh, I understand that.
    Ms. Garza.--and their tactics, and so to make the statement 
that we can guarantee a system is secure quite frankly is a 
little bit folly. We are doing everything that we can to make 
sure that our systems are secure. We have not had a breach of 
our internal systems, although we have had data loss. And so to 
put--to try to come up with a dollar amount that would 
guarantee that something will not occur I think--at that point 
I would think that we are probably not going to end up being 
secure.
    Mr. Mitchell. And my time is expiring and I appreciate the 
patience. Anywhere else in the world in the private sector at 
least somebody says we really screwed up here. At least someone 
says, well, hey, we missed--you know, they take accountability 
for it. My technology staff took it personally when someone 
tried--you know, when we had people trying to hack it, when we 
had--how we secured it. It was the game. It was their life. And 
the fact that folks can sit here and say, well, basically, 
stuff happens. But when you are talking about people's 
information to the Department of Education or IRS, it is not 
just stuff happens. This is their life. It is their tax return. 
It is their personal information used to get credit elsewhere.
    This is not minor stuff, and I don't see the perspective or 
concern that, well, we do the best we can. If it is wrong, we 
may notify, we may not notify. We may not think it is our 
problem because it is the IRS's problem. Again, they went that 
way. Somebody needs to be accountable for it, folks. And I will 
join Mr. Connolly and others in finding a way we have got to 
hold folks accountable because we can't have this kind of data 
leaking out, people taking it and using it for adverse 
purposes. You should be ashamed.
    I yield back. Thank you.
    Ms. Foxx. The gentleman's time has expired.
    Mrs. Maloney, you are recognized for five minutes.
    Mrs. Maloney. Thank you, Lady Chair.
    We need to do everything we can to prevent cyber attacks 
from occurring, but when they do occur, it is critical that we 
take it as seriously as the gentleman said and also that we 
learn from them.
    In 2015, criminal elements attacked the IRS and its Get 
Transcript application, the tool that allows taxpayers to 
obtain copies of prior tax returns using a collection of 
personal information. An organized crime syndicate accessed 
this application using stolen personal information of 
individuals and obtained tax data for a staggering 300,000 
individuals. Is that correct, Mr. Corbin?
    Mr. Corbin. That is correct, Congresswoman.
    Mrs. Maloney. And since that incident, the IRS has been 
working diligently to increase the security of its systems. In 
January 2016, a result of cybersecurity improvements, the IRS 
stopped an attempt to acquire the e-filing PIN number of 
taxpayers. Mr. Corbin and Mrs. Garza, is that correct? And can 
you describe what the improvements were that were able for you 
to stop this other attempt?
    Mr. Corbin. So for--so, Congresswoman, for Get Transcripts, 
we took that application down and did an assessment level of 
risk, and we put in place what we call secure access 
authentication. It is a higher level of authentication that 
requires ID proofing, financial verification, and then an 
activation code in order to be able to get access to your 
transcript.
    We continue to take the dollars that were provided by 
Congress, the $290 million, to invest in additional cyber tools 
that allowed us in this case to be able to detect when there 
was activity occurring on tools that we have that are outside 
the IRS network.
    For the e-file PIN, Congresswoman, we looked at that and 
again identified that that would be a vulnerability. The e-file 
PIN application is not back up. We eliminated the e-file PIN 
application and now require AGI or the self-select PIN, which 
taxpayers have.
    Mrs. Maloney. Okay. After the 2015 incident, you did a 
reassessment of the security of all of your online 
applications, including the data retrieval tool. And as you 
stated in your testimony, that assessment--and I am quoting 
from your testimony--indicated the need for strengthened 
procedures and led to collaboration with the Board of Education 
to best implement those procedures. Now, is that correct?
    Ms. Garza. That is correct.
    Mrs. Maloney. Okay. Now, I want to turn to the 2017 data 
retrieval tool incident where criminals were able to use 
personal information gathered elsewhere to create student aid 
accounts on the Department of Education's websites and obtain 
individuals' sensitive tax information. So, Mr. Corbin and I 
would say Mrs. Garza, is it right to say that, much like in 
2015, individuals were seeking the information necessary to 
file fraudulent returns?
    Ms. Garza. That's correct.
    Mrs. Maloney. Yet this time, individuals were much less 
successful in obtaining the returns, and according--would you 
like to comment on that?
    Mr. Corbin. No, Congresswoman. Go ahead.
    Mrs. Maloney. According to GAO, identity theft at the IRS 
has decreased in recent years because the IRS has improved its 
ability to detect fraud before processing returns. This 
approval detection ability is illustrated by the fact that 
automatic security filters were able to stop almost 65 percent 
of potentially fraudulent refunds from being issued in the data 
retrieval tool incident. Is that correct?
    Mr. Corbin. That is correct.
    Mrs. Maloney. So we can't stop all cyber attacks. That is 
just the reality of today. But we can learn from them. So I 
think you have shown your ability to do that.
    So, you know, when you file--why would somebody want to 
file a fraudulent return? What was the purpose of it for the 
purpose ----
    Mr. Corbin. So, Congresswoman, most people file fraudulent 
returns with the hopes of obtaining a refund ----
    Mrs. Maloney. Whoa, okay.
    Mr. Corbin.--from that return.
    Mrs. Maloney. And are they successful?
    Mr. Corbin. Congresswoman, fraudsters are successful, but 
we have gotten so much better over the years. The IRS has a 
public-private partnership called the Security Summit where we 
work to protect the tax ecosystem, working with State 
Departments of Revenue, with software developers so that we can 
build better systems to help protect the tax ecosystem.
    As you stated in this case with the data retrieval tool, we 
have new data elements or information that we are using in our 
filters. It did allow us to stop 80 percent of the returns that 
were filed in this event that were either potentially 
fraudulent or before the refunds were able to be paid.
    Mrs. Maloney. Well, thank you. My time is expired, but I 
hope we can continue to fund the IT improvements that the IRS 
requests so we can continue going forward in being more 
effective in stopping fraud and helping taxpayers.
    Thank you for your testimony today.
    Ms. Foxx. Thank you, Mrs. Maloney.
    Mr. Grothman, you are the one we have been looking for, the 
last one.
    Mr. Grothman. Good.
    Ms. Foxx. You are recognized for five minutes.
    Mr. Grothman. Mr. Gray, I will give you a few questions. 
How long have you been the chief information officer over at 
Education?
    Mr. Gray. Eleven months, sir.
    Mr. Grothman. Okay. And since November of 2015, this 
committee has uncovered what we feel are significant 
shortcomings in your IT security plans before you were even 
there, as well as corruption of the former CIO. As newcomer, 
what concerns you the most, and what were your first actions as 
CIO to clean this up?
    Mr. Gray. There were several--I had five focus areas when 
it came to the Department. One was on security, another was 
FITARA and organizational health, so there were policy 
challenges. There was numerous things that we need to improve. 
And I will say in the last 11 months we have made significant 
progress at the Department in terms of implementing processes, 
implementing policies, changing personnel.
    Mr. Grothman. Okay. Last year, US-CERT reported 192 
incidents in your Department. Can you tell us what information 
leaked out in those 192? Give us, say, how many files and what 
they covered?
    Mr. Gray. I would have to get that information for you, 
sir. I do have a list of the information and--but I'd want to 
verify.
    Mr. Grothman. Give me a broad--you know, there must be some 
that stuck in your mind. What are the type of things that get 
out there?
    Mr. Gray. Typically, Social Security numbers that were 
inadvertently sent from one individual to an individual it 
wasn't supposed to or it wasn't encrypted.
    Mr. Grothman. Anything beyond that? Any information 
connected with the Social Security numbers?
    Mr. Gray. I would--I'd want to verify, sir, but to my 
knowledge I would ----
    Mr. Grothman. You can't think of any example?
    Mr. Gray. Not at this moment.
    Mr. Grothman. Okay. Is this--I guess we will call this 
OCIO-14 handbook?
    Mr. Gray. Yes, sir.
    Mr. Grothman. Okay. You know how recently this was updated? 
Or I've got one that I believe is right now the current one 
that you must give your employees. Do you know how recently it 
was--or how recent the most recent update was?
    Mr. Gray. There is a draft going--circling right now to--
that is being updated, that has been updated and that is being 
routed for concurrence right now.
    Mr. Grothman. Yes, but do you know how long--how old this 
is?
    Mr. Gray. Several years, sir, too many.
    Mr. Grothman. A little over six years now. Okay. Do you 
think that is satisfactory?
    Mr. Gray. No, sir.
    Mr. Grothman. Okay. Could you give us a hard number as to 
when you feel you have got something new available for your new 
employees?
    Mr. Gray. For OCIO-14?
    Mr. Grothman. Correct.
    Mr. Gray. The concurrence process within the Department 
takes an amount of time, so I can't comment on that, but I will 
say that I have a solid draft that is going through concurrence 
right now.
    Mr. Grothman. Can you give us a guess? A month, four 
months, a year?
    Mr. Gray. My understanding is the process is about six 
months to a year to go through formal concurrence.
    Mr. Grothman. And how far are you through the process now?
    Mr. Gray. We started last week. We started the actual 
concurrence process last week, sir.
    Mr. Grothman. Okay. So you began something but it could be 
a year before we get something that is more than six years old?
    Mr. Gray. I will expedite it because I know it's critical 
to the Department.
    Mr. Grothman. And critical to us and critical for the 
public.
    Could you give us--when we talk about the files with the 
Social Security number, can you tell us what else is in those 
files?
    Mr. Gray. I would have to look specifically at them. I-- at 
this point--I mean, sometimes they're Excel spreadsheets that 
contain Social Security numbers. I would have to look to 
verify.
    Mr. Grothman. Okay. I will try Mr. Runcie. Have there been 
breaches of your ----
    Mr. Runcie. Not to my knowledge, no. There was I think 
about--it might've been four years ago there was a time where 
the system was open for a few minutes, and there were 6,000 
cases of information that was viewed that shouldn't have been 
viewed, but that was the only systemic breach or exfiltration 
of--it wasn't even an exfiltration but it was an incident that 
occurred at that time.
    Mr. Grothman. How long ago was that? How long ago was that?
    Mr. Runcie. It was a few years ago. I'm not exactly sure.
    Mr. Grothman. So you have had nobody breach anything for 
the last four or five years, do you think, three or four years 
we will say?
    Mr. Runcie. Well, there has been no material breach. There 
is a possibility that there might have been an incident here or 
incident there in terms of student aid data but none to my 
knowledge.
    Mr. Grothman. Okay. They don't tell you?
    Mr. Runcie. I would be informed if there was, and I'm not 
aware of any.
    Mr. Grothman. Okay. I yield the remainder of my time.
    Ms. Foxx. Thank you very much.
    I am ready to close. I have none of my colleagues on the 
Democrat side, so I will make some very brief comments.
    To not broach our protocol, I will not ask questions, but I 
will let Ms. Garza, Mr. Corbin, Mr. Camus know that we will be 
asking you exactly how many fraudulent returns were filed as a 
result of the breach and when those people obtained that 
information. And we will want an answer in what most of us 
would consider reasonable time.
    It has been extraordinarily difficult today to get any kind 
of specific answer out of any of you. And I think Mr. 
Mitchell's comments about the scarecrow were entirely apt. You 
are blaming each other. The American people frankly are tired 
of this kind of display of incompetence again. You all cannot 
answer questions or will not answer questions. It is a little 
difficult to know.
    And let me tell you something. In my world, $30 million is 
a lot of money, a lot of money. And you all don't seem to take 
it seriously at all, that as a result of your not being able to 
take action when a breach is made and you are not following the 
law to let Congress know, it is even more troubling to me that 
you take so long to do anything.
    Mr. Grothman's comments about a document that is very 
important taking seven years to update, it is pure 
incompetence.
    And I would venture to say that we might be able to get 
better people coming into your agencies to do the work that 
needs to be done regardless of the pay if they thought they 
could get something done. But the bureaucracies are so 
impossible to change.
    And I do want to note that both Mr. Gray and Mr. Runcie 
came to the Department and all of you all, too, in the IRS 
under the Obama administration. Our colleagues are going to 
raise Cain with the existing Departments and make it appear as 
though this is the responsibility of the current 
administration. And I think it needs to be made abundantly 
clear that you all came into these agencies under the previous 
administration and have been kept on by the previous 
administration.
    We will also put into the record the expanded timeline in 
terms of when these problems began occurring and point out 
where we possibly can the inaction of the people who are 
supposed to be working for the American people and keeping 
their data confidential.
    So I thank you all for being here today, and this hearing 
is dismissed.
    [Whereupon, at 12:07 p.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]