Federal student loan data targeted in fraud

Federal prosecutors have declined to bring charges in a series of cases involving tampering with federal student loan accounts, including six instances of tampering by employees at a credit reporting firm.

Workers at that firm, then known as Kroll Factual Data, tampered with several federal student loan accounts to the point where customer service representatives at one loan provider weren't able to trust the data in their computers.

The episode came to light after a complaint from a Sallie Mae customer that the email address on his account had been changed without his permission, according to a heavily-redacted Education Department Office of Inspector General investigation report obtained through a Freedom of Information Act request.

The federal loan provider told the government that the individual who manipulated the customer's account "impaired the integrity of the data in Sallie Mae systems," and "if the email address has been changed without the knowledge of Sallie Mae or the customer, then Sallie Mae cannot trust the data in the system," according to the 2015 final report.

No one was ever prosecuted for a crime in the Kroll Factual Data case, however, or in nearly 20 other similar cases at other financial companies recounted in a September 2016 inspector general audit.

These investigations into unauthorized behavior involving online federal student loan accounts highlight the challenge of penalizing companies who fiddle with sensitive borrower data for commercial or personal gain. The 2016 report that exposes credential abuse warns that, when outside entities open accounts or change user information, the Department of Education and loan servicers may not be able to contact the borrower. Additionally, the report asserts that such activity violates federal user agreements.

Congress checks in

Some in Congress are pressing the Education Department to end the growing problem by shoring up the National Student Loan Data System, a central government database that underpins all student financial aid accounts. Online student loan deception became the focus of two House Oversight and Government Reform Committee hearings in one month this May.

Rep. Elijah Cummings, D-Md., ranking Democrat on the Oversight committee and an advocate for student aid reform, said the Kroll meddling seems similar to other exploitation the committee has reviewed.

"It is outrageous that these companies could not be prosecuted because of technicalities for conduct they must have known was wrong. We need to prevent loan servicing companies from engaging in these abuses and hold them accountable for protecting the students they are supposed to be serving," Cummings wrote in an email, referencing the Kroll case and previous probes into online student loan fraud. "These are abuses, plain and simple."

After the customer contacted Sallie Mae about the email address swap in 2013, Sallie Mae's in-house investigators checked his PIN. They determined that he had been locked out of his account, someone re-enrolled him under a new PIN account, and all the activity traced back to an IP address assigned to Kroll, according to the Department of Education inspector general's report.

New ownership at Kroll

Patricia Christel, a spokesperson for Navient, which spun off from Sallie Mae and services federal student loans, said in a July 10 email that the company didn't authorize Kroll's online activities and didn't provide Kroll with any customer federal student loan information.

"Our security program worked as designed to detect unauthorized traffic, and we followed established procedures to notify federal officials and collaboratively work with law enforcement," Christel said, adding that Navient follows industry best practices to safeguard customer privacy.

During the inspector general investigation, records showed Kroll employees even changed six usernames for Sallie Mae accounts to a fictitious name^. The credit reporting company said that it "counseled" one of the employees, according to the report, but it is unclear what this admonishment involved.

Kroll did not provide an explanation for how it obtained personal information to log into these accounts. Navient said it does not know definitively how Kroll acquired the data and does not want to speculate.

Catherine Grant, congressional and public affairs liaison for the Department of Education Office of the Inspector General, said in an email that "Kroll Factual Data did not keep detailed records" that explained the method by which employees obtained students' info.

A spokesperson for Kroll's new parent company FD Holdings, which acquired Kroll in January 2015, said in an emailed statement that the Department of Education inspector general inquired about "certain student loan information accessed by Kroll Factual Data in connection with one of its service offerings." But FD Holdings said it does not know further details about the incident, because the company didn't purchase Kroll until years after this happened.

The Department of Education presented the examination of "unauthorized Sallie Mae account tampering" to the Justice Department Computer Crimes and Intellectual Property Section for potential prosecution in 2014, but Justice declined to prosecute anyone, the report states.

One reason for not taking on the case was redacted in the final report, and another reason given was that potential remedies are available elsewhere, specifically at the Federal Trade Commission, which received the case in February 2015 and agreed to accept it.

FTC officials said, as a policy, the commission does not comment on whether it is investigating a matter.

The Kroll situation is but one example of recurrent findings by the Department of Education IG that outside vendors are misusing federal student loan credentials.

Tightening up citizen-facing tools

Many situations similar to the Kroll case pop up in the 2016 inspector general audit, Grant noted. In one investigation, an unidentified loan consolidator that promised to enroll borrowers in debt forgiveness programs -- for which they weren't necessarily eligible -- allegedly accessed the National Student Loan Data System and tampered with a borrower's PIN account. But the company had required borrowers to sign a power of attorney granting permission to view their accounts, so investigators were stymied in trying to bring charges for unauthorized access.

Other recent hacks of the system include a breach of a since-deactivated IRS tool supporting the Department of Education's online financial assistance form that may have affected up to 100,000 taxpayers.

In May, Diverse: Issues in Higher Education reported that a Louisiana private investigator allegedly tried exploiting the component, part of the Free Application for Federal Student Aid, to illegally obtain Donald Trump's tax records during last year's presidential campaign.

The tool was unplugged in March, after it became clear that bad actors were submitting Social Security numbers and other data to make the form automatically upload tax information.

Officials at Department of Education headquarters declined to comment on the Kroll breaches, but said they have been adjusting login requirements for certain financial aid websites, like FAFSA.gov and StudentLoans.gov.

In May 2015, Education rolled out "FSA ID," a credential consisting of a username and strong password. The sign on method does away with PINs and offers three options to reset accounts: enter a secure code sent by SMS message, a code sent by email, or the answers to previously chosen challenge questions.

"FSA ID uses several mechanisms to try to prevent fraud during account creation and login," Education spokeswoman Elizabeth Hill wrote in an email. Recently, "SMS was added for ID verification and account recovery," but that is optional.

The department completed a simple fix in May, when it quietly altered the terms and conditions on the National Student Loan Data System and the FSA ID website, as recommended by the inspector general. Now, the warning explicitly states that it's against the law for a third party to access the site for commercial or private financial gain, even if assisting an authorized user.

But the Education Department has yet to carry out repeated inspector general recommendations to require multi-factor authentication, which would demand users have a password or other credential plus an outside form of proof that can't be duplicated, like a one-time code from an automated voice call.

Cummings, who sits on several university boards, is working to ensure that agencies are well equipped, adequately funded, and fully staffed to protect young people from predatory lenders and cyber criminals, his aides say.

"There's something about this that just tears at my heart," the congressman said at a May 3 House hearing. "I see young people having to drop out of school because they don't have money and they are struggling. They just want to go out there and be all that God meant for them to be and not only to they have to fight people who are supposed to be helping them but then they lose the opportunity."