Security experts have warned that the US Department of Education's website for the Free Application for Federal Student Aid (FAFSA) inadvertently leaves sensitive personal details of millions prone to hacking by malicious hackers and identity thieves.
The website requires students seeking financial assistance to fill up a form giving personal as well as financial details. Security expert Brian Krebs warned that the website grants access to a trove of such sensitive and personal information to anyone who has access to an applicant's Social Security Number (SSN) and date of birth.
According to Krebs, people who visit the login page for FAFSA can either choose to enter the student's FSA ID and password or plug in the "student's information". Users that opt for the second option are prompted to enter the student's first and last name, date of birth and SSN.
"Anyone who successfully supplies that information on a student who has applied for financial aid through FAFSA then gets to see a virtual colonoscopy of personal information on that individual and their family's finances — including almost 200 different data elements," Krebs wrote in a blog post.
The fields of information include a torrent of personal details for both students and their parents including permanent address, driver's license number, phone number, citizenship status and alien registration number, marital status, whether or not the student has a drug conviction, income tax paid, adjusted gross income, net worth, child support payments, veteran status, whether the student is an emancipated minor and more.
"From an identity thief's perspective, it seems like the only question missing from this list is, 'What was the name of your first pet?' Seriously though, armed with this bounty of data identity thieves would likely have little trouble impersonating a student (or parents of a student) who had applied for federal financial aid," the security expert wrote.
Nearly 20 million people filled out the FAFSA form in the 2015/2016 application cycle, according to the Education Department.
Krebs noted that the problem lies in the Education Department's assumption that a person's SSN is a secure piece of information. However, there are a wide array of websites on the internet and Dark Web that sell access to millions of Americans' social security numbers and dates of birth for as little as $4 to $5 (£3 to £3.75) worth of Bitcoin.
The revelation comes after the Internal Revenue Service (IRS) disabled an automated tool on its website called the Data Retrieval Tool in March that allowed students and their families apply for federal financial assistance. It was found that nefarious threat actors have been exploiting the tool — which retrieves data from FAFSA — to learn the adjusted gross income of applicant families and other details to commit tax refund fraud with the IRS.
Krebs has advised applicants to get a free copy of their credit report and consider putting a security freeze on their credit reports as a precaution against possible identity theft.
"Somehow, we need to move away from allowing online access to such a deep vein of consumer data just by supplying static data points that are broadly compromised in a thousand breaches and on sale very cheaply in the cybercrime underground," Krebs added.