Two weeks ago, the IRS announced a data breach that affected 100,000 taxpayers and cost the Federal Government nearly $50 million in fraudulent refunds.
How did it happen?
Hackers used information obtained in various breaches to compile a profile on taxpayers that allowed them to bypass multistep authentication processes and access previous tax returns and filings, siphoning off millions before the scheme was detected.
This is a clear example of hackers’ rapidly increasing sophistication and the available network of breached information.
More importantly, it indicates a need for businesses and organizations that deal with sensitive information to undertake intense security measures.
Hacking isn’t going away. It’s only growing more prevalent and elaborate. Here’s why:
The Web of Data Breaches
The information needed to access those records – including social security numbers, previous addresses and birth dates – most likely wasn’t compiled from one data breach, but instead farmed from many of them. This means that information from many “small” data breaches of less sensitive information can be combined and compounded to access more sensitive information via major organizations, such as the IRS. Information like this is reportedly being sold on hacker networks and combined to launch more effective attacks on private accounts.
In short, there is no such thing as a minimal data breach anymore.
Higher Ed Industry’s Responsibility
Between 2005 and 2014, there were 727 educational institution data breaches involving 14 million records, according to Privacy Rights Clearinghouse. Additionally, student aid fraud costs taxpayers $1 billion or more every year and includes such tactics as hacking student accounts and diverting financial aid funds.
It’s time higher education institutions realize the burden of security that they face and take extensive measures to protect student information from hackers.
What To Do
Security experts say the IRS should have implemented a multifactor, or 2-step, authentication that would send users a verification code via their mobile phone.
Higher ed institutions should consider implementing a 2-step authentication process for when a student logs into his or her account from a new device. Many Chase bank users already have experience with multifactor authentication, and more and more financial institutions are set to implement it.
What We’ve Done for You
Two-step authentication is a security feature that all StudentVerification users will have access to this month. If you haven’t heard of it, StudentVerification is the secure, student self-service platform dozens of schools use to easily and digitally manage the entire verification process.
The word “secure” is the key. The FAFSA verification process frequently includes sensitive information such as bank statements, drivers licenses or passports, social security cards and tax statements. Currently some schools accept the documents supporting verification via email, which is easily hacked.
StudentVerification was already safe, because users were required to verify ISIR information to create an account. But with new concerns over previously breached information that leads to big issues like what the IRS faced, we decided our already secure system could be even better. This month we roll out 2-step authentication, which strives to ensure student and parent records are only accessed by the owners of such records.
How 2-step authentication works: When a student or parent attempts to access his account from an unrecognized device, the system will send him a special code via text or email. He’ll then have to enter that code into StudentVerification to access the account.
If you are not using StudentVerification, click here to see more information on the platform. If you haven’t signed up for StudentVerification yet, here are a few tips for how you can help protect student data, though they won’t prevent serious hackers.
1. Educate students. Remind your students when they fax or email documents that it is not secure. The safest bet (after StudentVerification) for delivering sensitive documents to your office is by hand. Remind them that nobody except your financial aid officers should ever request their information in regard to student aid, and if anyone else requests it, they should report them to your office immediately.
2. Pick the right vendors. We wrote a blog here about how to pick vendors you can trust to handle student data.
3. Monitor IP addresses. Monitoring suspicious login patterns will help you catch potential fraud or hacking attempts. StudentVerification has a built-in feature that allows schools to monitor suspicious behavior like multiple accounts logging in from the same address or accounts with multiple login failures. You can check to see if your SIS offers anything like that.