Federal student loan data targeted in fraud

Officials have declined to prosecute in a case where employees at a private firm tampered with a federal student loan database.

Image: Macrovector / Shutterstock
 

Federal prosecutors have declined to bring charges in a series of cases involving tampering with federal student loan accounts, including six instances of tampering by employees at a credit reporting firm.

Workers at that firm, then known as Kroll Factual Data, tampered with several federal student loan accounts to the point where customer service representatives at one loan provider weren't able to trust the data in their computers.

The episode came to light after a complaint from a Sallie Mae customer that the email address on his account had been changed without his permission, according to a heavily-redacted Education Department Office of Inspector General investigation report obtained through a Freedom of Information Act request.

The federal loan provider told the government that the individual who manipulated the customer's account "impaired the integrity of the data in Sallie Mae systems," and "if the email address has been changed without the knowledge of Sallie Mae or the customer, then Sallie Mae cannot trust the data in the system," according to the 2015 final report.

No one was ever prosecuted for a crime in the Kroll Factual Data case, however, or in nearly 20 other similar cases at other financial companies recounted in a September 2016 inspector general audit.

These investigations into unauthorized behavior involving online federal student loan accounts highlight the challenge of penalizing companies who fiddle with sensitive borrower data for commercial or personal gain. The 2016 report that exposes credential abuse warns that, when outside entities open accounts or change user information, the Department of Education and loan servicers may not be able to contact the borrower. Additionally, the report asserts that such activity violates federal user agreements.

Congress checks in

Some in Congress are pressing the Education Department to end the growing problem by shoring up the National Student Loan Data System, a central government database that underpins all student financial aid accounts. Online student loan deception became the focus of two House Oversight and Government Reform Committee hearings in one month this May.

Rep. Elijah Cummings, D-Md., ranking Democrat on the Oversight committee and an advocate for student aid reform, said the Kroll meddling seems similar to other exploitation the committee has reviewed.

"It is outrageous that these companies could not be prosecuted because of technicalities for conduct they must have known was wrong. We need to prevent loan servicing companies from engaging in these abuses and hold them accountable for protecting the students they are supposed to be serving," Cummings wrote in an email, referencing the Kroll case and previous probes into online student loan fraud. "These are abuses, plain and simple."

After the customer contacted Sallie Mae about the email address swap in 2013, Sallie Mae's in-house investigators checked his PIN. They determined that he had been locked out of his account, someone re-enrolled him under a new PIN account, and all the activity traced back to an IP address assigned to Kroll, according to the Department of Education inspector general's report.

New ownership at Kroll

Patricia Christel, a spokesperson for Navient, which spun off from Sallie Mae and services federal student loans, said in a July 10 email that the company didn't authorize Kroll's online activities and didn't provide Kroll with any customer federal student loan information.

"Our security program worked as designed to detect unauthorized traffic, and we followed established procedures to notify federal officials and collaboratively work with law enforcement," Christel said, adding that Navient follows industry best practices to safeguard customer privacy.

During the inspector general investigation, records showed Kroll employees even changed six usernames for Sallie Mae accounts to a fictitious name. The credit reporting company said that it "counseled" one of the employees, according to the report, but it is unclear what this admonishment involved.

Kroll did not provide an explanation for how it obtained personal information to log into these accounts. Navient said it does not know definitively how Kroll acquired the data and does not want to speculate.

Catherine Grant, congressional and public affairs liaison for the Department of Education Office of the Inspector General, said in an email that "Kroll Factual Data did not keep detailed records" that explained the method by which employees obtained students' info.

A spokesperson for Kroll's new parent company FD Holdings, which acquired Kroll in January 2015, said in an emailed statement that the Department of Education inspector general inquired about "certain student loan information accessed by Kroll Factual Data in connection with one of its service offerings." But FD Holdings said it does not know further details about the incident, because the company didn't purchase Kroll until years after this happened.

The Department of Education presented the examination of "unauthorized Sallie Mae account tampering" to the Justice Department Computer Crimes and Intellectual Property Section for potential prosecution in 2014, but Justice declined to prosecute anyone, the report states.

One reason for not taking on the case was redacted in the final report, and another reason given was that potential remedies are available elsewhere, specifically at the Federal Trade Commission, which received the case in February 2015 and agreed to accept it.

FTC officials said, as a policy, the commission does not comment on whether it is investigating a matter.

The Kroll situation is but one example of recurrent findings by the Department of Education IG that outside vendors are misusing federal student loan credentials.

Tightening up citizen-facing tools

Many situations similar to the Kroll case pop up in the 2016 inspector general audit, Grant noted. In one investigation, an unidentified loan consolidator that promised to enroll borrowers in debt forgiveness programs -- for which they weren't necessarily eligible -- allegedly accessed the National Student Loan Data System and tampered with a borrower's PIN account. But the company had required borrowers to sign a power of attorney granting permission to view their accounts, so investigators were stymied in trying to bring charges for unauthorized access.

Other recent hacks of the system include a breach of a since-deactivated IRS tool supporting the Department of Education's online financial assistance form that may have affected up to 100,000 taxpayers.

In May, Diverse: Issues in Higher Education reported that a Louisiana private investigator allegedly tried exploiting the component, part of the Free Application for Federal Student Aid, to illegally obtain Donald Trump's tax records during last year's presidential campaign.

The tool was unplugged in March, after it became clear that bad actors were submitting Social Security numbers and other data to make the form automatically upload tax information.

Officials at Department of Education headquarters declined to comment on the Kroll breaches, but said they have been adjusting login requirements for certain financial aid websites, like FAFSA.gov and StudentLoans.gov.

In May 2015, Education rolled out "FSA ID," a credential consisting of a username and strong password. The sign on method does away with PINs and offers three options to reset accounts: enter a secure code sent by SMS message, a code sent by email, or the answers to previously chosen challenge questions.

"FSA ID uses several mechanisms to try to prevent fraud during account creation and login," Education spokeswoman Elizabeth Hill wrote in an email. Recently, "SMS was added for ID verification and account recovery," but that is optional.

The department completed a simple fix in May, when it quietly altered the terms and conditions on the National Student Loan Data System and the FSA ID website, as recommended by the inspector general. Now, the warning explicitly states that it's against the law for a third party to access the site for commercial or private financial gain, even if assisting an authorized user.

But the Education Department has yet to carry out repeated inspector general recommendations to require multi-factor authentication, which would demand users have a password or other credential plus an outside form of proof that can't be duplicated, like a one-time code from an automated voice call.

Cummings, who sits on several university boards, is working to ensure that agencies are well equipped, adequately funded, and fully staffed to protect young people from predatory lenders and cyber criminals, his aides say.

"There's something about this that just tears at my heart," the congressman said at a May 3 House hearing. "I see young people having to drop out of school because they don't have money and they are struggling. They just want to go out there and be all that God meant for them to be and not only to they have to fight people who are supposed to be helping them but then they lose the opportunity."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.