The Washington PostDemocracy Dies in Darkness

Education Dept. left Social Security numbers of thousands of borrowers exposed for months

Education Secretary Betsy DeVos and the Education Department left the Social Security numbers of about 240,000 people exposed for months. (Manuel Balce Ceneta/AP)

The Education Department left the Social Security numbers of tens of thousands of people seeking student debt relief unprotected and susceptible to a data breach for at least six months, according to people familiar with the matter.

Angela Morabito, a spokeswoman for the Education Department, acknowledged the error but called it “nonevent.” The data was "was on the department’s secure, internal server, and there is no indication anyone outside the department could have had access to it,” she said. "There is also no indication anyone inside the department handled this file improperly.”

But anyone at the federal agency, and some of its contractors, could have accessed the personally identifiable information through a shared folder before it was secured on Friday, putting thousands of people’s personal information at risk, according to internal documents obtained by The Washington Post.

The information came from applications for student debt relief submitted by borrowers who say they were defrauded by their colleges. A 1995 law, known as “borrower defense to repayment,” provides federal loan forgiveness to students whose colleges lied to get them to enroll.

For the better part of five years, the Education Department has been inundated with claims from former students of defunct for-profit chains Corinthian Colleges and ITT Technical Institutes, which have been sued for fraud and for steering students into predatory loans. Borrowers say they were saddled with debt for worthless degrees and have been seeking relief ever since, in court and from the Education Department.

But as those former students await a decision from the Trump administration, their sensitive data has been exposed for months. A person with access to the database, who spoke on the condition of anonymity out of fear of retribution, found files in December containing the Social Security numbers of nearly 200,000 applicants. The files, which should not have been accessible by this person, were available on a shared folder that is used by some contractors and various divisions within the agency.

Morabito said “department protocols prevent sensitive data from being emailed," and that the department’s cybersecurity team would know if anyone tried to remove the data from the government’s servers. Asked if the department was certain that no one with access could have simply written down Social Security numbers for later use, Morabito did not respond.

Cybersecurity expert Tony Scott, who served as the federal chief information officer during the Obama administration, said in general, federal agencies should encrypt files containing sensitive data, or create a two-step authentification process to secure the information.

“There is a legitimate need in some cases for people to share personally identifiable information," Scott said. “But the policy is, generally, people have access just on a need-to-know or need-to-use basis.”

The person who discovered the data said previous attempts to flag similar weaknesses in information security at the department were ignored years earlier. So when this latest gap was discovered toward the end of last year, the person alerted congressional committees and expected the issue to be resolved.

During a House Education Committee hearing in December, Rep. Alma Adams (D-N.C.) didn’t mention the files specifically but asked Education Secretary Betsy DeVos whether she was taking appropriate steps to protect the personal information of defrauded borrowers.

“Can you commit to reviewing the security of that data and reporting back to this committee to assure that current and future applicants and their data is being managed responsibly? Can you commit to that?" Adams asked DeVos.

“Yes, I commit to that, just as I commit to continuing to being responsive to data security across the board,” DeVos responded.

Everyone thought the issue had been resolved. But when the person looked at the shared folder last week, the files, now containing the sensitive data of about 240,000 people, were still accessible.

“The Department of Education’s mishandling of personally identifiable information adds insult to injury for defrauded borrowers, some of whom have waited more than three years for relief,” Rep. Robert C. “Bobby” Scott (D-Va.), chairman of the House Education Committee, said Tuesday. “The Department’s failure to faithfully implement Borrower Defense has already forced hundreds of thousands of borrowers to put their lives on hold. Now, it appears the Department exposed borrowers’ private data — an issue Secretary DeVos committed to addressing months ago.”

The Education Department’s Office of Inspector General contacted the department Thursday after learning about the files, according to Catherine Grant, a spokeswoman for the inspector general. Grant would not disclose whether the office has launched an investigation into the matter.

In an email exchange Thursday, IT contractors working for the department warned an internal cybersecurity team that the Federal Student Aid office had a bigger problem on its hand than it realized, and that there were ways to block access to the folders, according to documents reviewed by The Post.

By the next day, the department had shut off access to the data.

“We learned of this issue late Thursday, and within 24 hours, restored the proper file permissions to a more limited number of employees,” Morabito said. “We are currently conducting a comprehensive internal review.”

According to the internal emails, the files at issue are tied to two separate but related class-action lawsuits. One of those cases involves a group of former Corinthian students who sued DeVos in March 2018, after she granted only partial debt relief to defrauded students. DeVos was eventually held in contempt for violating a court order to stop collecting loan payments from the Corinthian students involved in the case. Because of the department’s actions, some people had their wages garnished or tax refunds seized by the federal government.

DeVos said the Corinthian case stymied the department from processing all the debt-relief claims. But borrowers who attended other schools argued that it had no bearing on their applications, and sued. While the Corinthian case is ongoing, the Education Department in April reached a settlement in the second case agreeing to process nearly 170,000 debt cancellation claims within 18 months.

DeVos reaches settlement over stalled student debt relief claims

Toby Merrill, an attorney representing students in both cases, was disappointed to learn Monday that her clients were placed at risk by the department’s handling of their sensitive data.

“It is unfortunately not surprising that the department would be so cavalier,” said Merrill, director at the Project on Predatory Student Lending, a legal-aid group. “The consistent failure to respect these students’ rights is apparent in the department’s regulations, its approach to borrower defense, and its approach to litigation.”

This is not the first time the Education Department has been cited for weaknesses in its handling of data. A recent inspection by the National Archives and Records Administration criticized the agency’s compliance with federal standards for records management. A 2019 report from the department’s inspector general raised concerns that the student aid office did not have adequate safeguards in place to protect its networks and had not effectively managed security risks.

Government agencies, including the Office of Personnel Management and Department of Homeland Security, have been targets of a spate of data breaches in recent years.

“Many agencies struggle with protecting [personally identifiable information] such as Social Security numbers. The number of systems they maintain, the complexity of it, they just struggle to get their arms around it,” said Richard Spires, a former chief information officer at DHS. “Having secure access with the right authentification measures in place … encrypting the data ... those are the kinds of practices you hope would be in place.”