Cybersecurity
The Education Department has yet to comply with IG recommendations to require multifactor authentication.
Data did not keep detailed records that explained the method by which employ- ees could have obtained the personal information necessary to log into and change the accounts.
FD Holdings acquired Kroll in Janu- ary 2015, and a spokesperson said in a statement that Education’s IG asked about “certain student loan informa- tion accessed by Kroll Factual Data in connection with one of its service offer- ings.” But FD Holdings said it does not have further details about the incident because the company did not purchase Kroll until years after those activities happened.
The IG’s report states that Educa- tion Department officials presented information on the “unauthorized Sal- lie Mae account tampering” to the Jus- tice Department’s Computer Crime and Intellectual Property Section for poten- tial prosecution in 2014, but Justice offi- cials declined to prosecute anyone.
One reason for not taking on the case was redacted in the report, and another reason given was that potential remedies are available elsewhere, spe- cifically at the Federal Trade Commis- sion, which agreed to accept the case in February 2015.
FTC officials said the commission’s policy is not to comment on whether it is investigating a matter.
An ongoing problem
The Kroll situation is only one example of recurrent findings by the Education Department’s IG that outside vendors are misusing federal student loan cre- dentials. Grant said many situations sim- ilar to the Kroll case popped up during the IG’s 2016 audit. In one investigation, an unidentified loan consolidator that promised to enroll borrowers in debt
forgiveness programs — for which they weren’t necessarily eligible — alleged- ly accessed the National Student Loan Data System and tampered with a bor- rower’s PIN account.
But the company had required bor- rowers to sign a power of attorney granting permission to view their accounts, so investigators found it dif- ficult to bring charges for unauthorized access.
Other recent hacks of the system include a breach of a since-deactivated IRS tool that supported the Education Department’s online financial assistance form; the breach might have affected as many as 100,000 taxpayers.
In May, Diverse: Issues in Higher Edu- cation reported that a private investiga- tor in Louisiana allegedly tried to exploit the IRS tool, which is part of the Free Application for Federal Student Aid, to illegally obtain Donald Trump’s tax records during last year’s presidential campaign.
The tool was unplugged in March after it became clear that bad actors were submitting Social Security num- bers and other data to make the form automatically upload tax information.
Officials at the Education Depart- ment declined to comment on the Kroll breaches but said they have been adjust- ing login requirements for certain finan- cial aid websites, such as FAFSA.gov and StudentLoans.gov.
In May 2015, Education launched FSA ID, a credential consisting of a username and strong password. The sign-on method does away with PINs and offers users three options for reset- ting accounts: Enter a secure code sent via SMS, a code sent via email or the answers to previously chosen challenge questions.
“FSA ID uses several mechanisms to try to prevent fraud during account creation and login,” Education spokes- woman Elizabeth Hill said. Recently, “SMS was added for ID verification and account recovery,” but that approach is optional.
The impact on students
The department completed a simple fix in May when it quietly altered the terms and conditions on the National Student Loan Data System and the FSA ID website, as recommended by the IG. Now the warning explicitly states that it’s against the law for a third party to access the site for commercial or pri- vate financial gain, even if it is assisting an authorized user.
But the Education Department has yet to carry out repeated IG recom- mendations to require multifactor authentication, which would demand that users have a password or other credential plus an outside form of proof that cannot be duplicated, such as a one-time code from an automated voice call.
Cummings, who sits on several uni- versity boards, wants to ensure that agencies are well equipped, adequately funded and fully staffed to protect stu- dents from predatory lenders and cyber criminals, his aides said.
“There’s something about this that just tears at my heart,” Cummings said at a hearing in May. “I see young people having to drop out of school because they don’t have money and they are struggling. They just want to go out there and be all that God meant for them to be, and not only do they have to fight people who are supposed to be helping them but then they lose the opportunity.” n
28 September 15, 2017 FCW.COM