The arrival of the holidays heralds another season soon to arrive: the tax season and, with it, the tax-return fraud season. And while the Internal Revenue Service has made some moves toward stanching the flow of fraudulent tax returns filed by cyber-criminals, another government agency may be offering up fresh fuel to fraudsters' efforts: the US Department of Education. Update: An Education Department spokesperson asserts that this is not the case, and that the data is protected appropriately—see the update, below.

On November 24, security reporter Brian Krebs revealed how the agency's site for the Free Application for Federal Student Aid (FAFSA) not only allows students to apply for financial assistance, but it also allows anyone with a student's name, Social Security number, and date of birth to access all of the information they've entered in their application—and even some they may not have. And that data includes tax data that could be used to submit fraudulent electronic tax returns, including adjusted gross income (AGI) from the previous tax cycle.

Back in March, the Education Department and the IRS shut down a system called the Data Retrieval Tool that allowed FAFSA applicants to automatically populate fields in their applications from their IRS tax records. The reason: more than 100,000 taxpayers may have had their information fraudulently retrieved through the FAFSA application system. A similar concern arose two years ago over a federal student loan application system that also tapped into IRS data and over an IRS PIN tool meant to allow taxpayers to protect their electronic filing.

But while the tool has been shut down, that same information is required to complete aid applications—so while it can no longer be used to harvest information without students applying for aid, it can still be used to target students who have applications in the system. More than 20 million students applied for financial aid during the 2015-2016 school year.

While the FAFSA website prompts for an "FSA ID" (a user-created username and password), Krebs reported, site users can also log in with first and last name, date of birth, and SSN—regardless of whether an FSA ID has been set up or not. That provides access to all of the information within the FAFSA application—more than 200 fields of information, which include more detail than a credit report on many personal pieces of information for both students and their parents. Those fields include permanent address, driver's license number, marital status, immigration data, whether the student has a drug conviction, income tax paid, net worth, child support payments, and veteran status, among many others.

Krebs recommends that anyone who has applied for financial aid get a free copy of their credit report and consider a security freeze on their credit reports as a defense against identity fraud.

Update, November 28: A FSA spokesperson, who would not speak on the record as they are not authorized to make statements for the Department of Education, told Ars that Krebs' story was inaccurate regarding the level of access provided by using a student's identifying information. According to the FSA spokesperson, using name, SSN and date of birth only provides limited access. There's also a "save" key that a student can use to pass the application on to a parent or another person preparing a FAFSA application, but that would require the FSA ID to access all of the fields of the application.

The IRS tool has been reactivated, but with some additional protection. First, the applicant has to be authenticated through the IRS site to initiate the data transfer. And when it is inserted into the FAFSA application, it is masked—the data cannot be read or extracted through the application view on the FAFSA site.