IRS says thousands of taxpayers affected by financial aid breach

The IRS says hackers posed as students applying for financial aid.

Aaron P. Bernstein via Getty Images

Tax day is rapidly approaching in the US, but according to the IRS, there could be additional headaches for up to 100,000 people this year. Hackers posing as students applying for financial aid possibly swiped taxpayer details through the FAFSA (Free Application for Federal Student Aid) online tool. According to The New York Times, the breach has the potential of being the most extensive since the 2015 tax return incident when info on over 300,000 taxpayers was used to file false claims. The IRS later increased that estimate to potentially affect 700,000 people.

Tax-related data breaches are becoming an annual occurrence in the United States. Following the massive 2015 hack, thieves nabbed 100,000 e-file PINs last year. Those numbers could be used to file fraudulent returns in an attempt to collect any potential refunds.

The Department of Education and the IRS shutdown the Data Retrieval Tool for the FAFSA in early March when the two learned the system was compromised. That tool helps import tax info to the lengthy financial aid forms. Late last month, both sides announced the feature would remain offline for the rest of this application season. Of course, that means families applying for federal aid have to find those old tax return details manually.

The New York Times reports the IRS became aware of a possible security flaw that would allow attackers to use the FAFSA tool to swipe tax info last fall. The concern is the same as the e-file PIN issue last year: those details could be used to file fraudulent claims to try and collect refunds. IRS commissioner John Koskinen told a Senate Finance Committee Thursday that the agency has already contacted 35,000 taxpayers and was planning to send notice to 100,000 total to warn them of a potential issue. Right now, the IRS believes fewer than 8,000 fake returns were filed and processed, but Koskinen admitted the full scope of the breach has yet to be determined.