If you recently used the Internal Revenue Service (IRS) Data Retrieval Tool to fill out the tax return information on your FAFSA, your tax return may be in jeopardy.
The IRS discovered that their Data Retrieval Tool on fafsa.gov and studentloans.gov was accessed by hackers to file tax returns and steal refunds fraudulently. The IRS believes up to 100,000 people could be affected by this security breach.
Read on to learn more about what happened in this data breach and if it affects you.
What you need to know about the FAFSA data breach
Although there’s not yet an exact number, current estimates show that up to 100,000 FAFSA users may be affected by this breach.
According to The New York Times, the IRS became concerned the IRS Data Retrieval tool could be manipulated by thieves last fall.
This isn’t the first time a data breach has occurred. In 2015, hackers gained access to more than 300,000 people’s returns.
Because the tool is used to automatically populate student and parent tax information, hackers could fill out fraudulent FAFSAs in someone else’s name to access that information. From there, they could file a tax return and steal that person’s refund.
In February, the IRS noticed an uptick of unfinished FAFSA applications, indicating hackers might be to blame. To mitigate the issue, the IRS removed the Data Retrieval Tool in March. It is undergoing new security measures and should be ready to use in October.
John Koskinen, IRS Commissioner, expressed relief that the IRS caught the breach early during a Senate Finance Committee hearing on Thursday. “Our highest priority is making sure that we protect taxpayers and their identity.”
What the IRS data breach means for you
If you’ve already filled out your FAFSA
The IRS is sending letters to those who may have been affected. As of right now, 35,000 letters have gone out. And The New York Times reports more letters will follow:
[The IRS] was planning to contact 100,000 people to alert them that they might be at risk. The agency believes that fewer than 8,000 fraudulent returns were filed and processed, resulting in refunds issued.
If you’ve recently used the IRS Data Retrieval Tool and you haven’t received a letter, reach out to the IRS to make sure no fraudulent returns were filed under your name. It’s better to be proactive than wait to see if you hear from the IRS.
If you still need to fill out your FAFSA
If you were planning on using the IRS Data Retrieval Tool to complete your FAFSA, you’re not going to be able to do so by the FAFSA’s deadline of June 30, 2017. Due to this security breach, the tool is being taken down until the fall.
You will still be able to fill out your FAFSA at FAFSA.gov, but you’ll need to enter your tax information manually.
If you can’t find your tax returns from 2015 (the required year of tax returns for the academic year 2017-18), you can use this tool from the IRS to get a summary of your tax return.
How to protect yourself if your information is exposed
This particular security breach is one in which returns are being filed fraudulently in other people’s names. Anyone whose information is potentially exposed can call the IRS to see if there’s any such activity on their file.
That said, it’s important to know what to do in the event of a security breach. Once your information is exposed, there are multiple ways thieves can use it – it just depends on their motives and the information they have.
For example, if someone steals your credit card, thieves will likely make purchases on your card. You can spot that by vigilantly reviewing your credit card statement. However, if someone has your Social Security number, they may be able to open accounts in your name. And that’s not so easy to spot unless you regularly check your credit report.
You can check your credit report for free with all three credit reporting agencies (CRAs) once a year at annualcreditreport.com. If you spot an account you didn’t open, follow the steps below as recommended by The Federal Trade Commission (FTC).
1. Fraud on your accounts? Report it to the company
If you spot fraudulent activity on your existing accounts, contact the companies and let them know which transactions you didn’t make. You can then ask them to close your accounts or give you new account numbers so the activity can’t continue.
And don’t forget to change all your passwords and additional login information. If you were using those passwords on other accounts (a big security no-no), change them there, just in case.
2. New accounts opened in your name? Report it to the CRAs
When you request your credit reports on annualcreditreport.com, you will get one from each of the three credit reporting agencies (CRAs): Experian, TransUnion, and Equifax. If any of the three show an account that you didn’t open, dispute it with that CRA.
3. Protect your credit by putting a fraud alert on your credit files
If you want to prevent more fraud, you can either put an initial fraud alert or an extended fraud alert on your credit files. An initial fraud alert lasts for 90 days, and an extended fraud alert lasts for seven years. Both make it so that creditors have to go through extra steps to verify your identity before extending credit in your name.
If you want even more protection, consider a credit freeze. There is a small fee – typically $10 – but it prevents anyone from being able to open credit in your name for as long as you have the freeze on your file. Just make sure to remove it if you need to apply for credit.
4. Report identity theft to the FTC
Finally, if you are a victim of identity theft, report it to the FTC on their site, identitytheft.gov. The FTC recommends an additional step of filing a local police report.