Senator asks DeVos to review FAFSA privacy protections


Democratic Sen. Ron Wyden is asking Education Secretary Betsy DeVos to take action to improve the privacy and security of the federal student financial aid application, in light of concerns about the way the application manages students’ sensitive information.

In the letter, Wyden asks DeVos to consider implementing two-factor authentication in the Free Application for Federal Student Aid (FAFSA), either by emailing an applicant as part of the login process or having them use a physical security key, such as a USB dongle.

“Given the sensitivity of the data collected during the FAFSA application, it is paramount that this information be protected from identity thieves. To that end, I urge you to direct your staff to examine the existing security controls protecting the FAFSA website, and to consider additional cybersecurity protections,” the Oregon senator wrote.

During the process of filling out and submitting a FAFSA form, students provide information such as their birth date, Social Security number, home address and tax filing information.

Wyden’s inquiry and concerns appear to have been prompted by a post authored by cybersecurity blogger Brian Krebs in late November, calling attention to the ease by which someone can log into FAFSA. While applicants can log in using a traditional username and password, they can also simply enter their name, date of birth and Social Security number as an alternative.

Krebs argued that individuals’ dates of birth and Social Security numbers are ubiquitous because of numerous breaches of companies holding that information. However, Krebs later updated his post with a correction from the Department of Education, after he initially claimed that anyone with a name, date of birth and SSN can then access sensitive information about that student’s family, such as net worth, investments, receipt of child support and other information.

A correction on Krebs’s post reads: “The data is displayed across several pages that require manual advancement, and that before the pages with financial data are shown the visitor is prompted to supply a username and password that all users are required to create when they start the application process. The agency said that without those credentials, the system should not display the rest of the data.”

The Department of Education did not respond to EdScoop’s request for comment on Wyden’s letter.

The FAFSA is no stranger to privacy issues. An online tool that FAFSA applicants could use to automatically retrieve information from families’ tax returns was on hiatus for several months this year due to concerns that it may have aided identity thieves. A federal court convicted a Louisiana man early last week for attempting to use the tool to obtain President Donald Trump’s tax records during his 2016 candidacy.

The Department of Education is working to modernize the FAFSA process by overhauling the online experience, with plans to release a mobile app by the spring of 2018.