An illegal breach of the campus severs has found many Palomar employees dealing with stolen identity, fraudulent tax returns and purchases under their names.
The W-2 forms of every person on the College’s 2016 payroll were accessed on Jan. 19 by an unauthorized individual, who has yet to be identified. These forms contain social security numbers, names, and addresses.
Shannon Leinhart, president of the Palomar Faculty Federation, said that the union considered a lawsuit, but their legal council told them it would not be financially feasible.
“It’s a drag, but there’s not a whole lot we could do as a union to deal with this,” Leinhart said.
The college initially responded by giving affected employees a free year of credit monitoring service, up to $1 million in credit fraud insurance and notified local police, the IRS, and the FBI. In response to the concerns of faculty expressed during a forum about the breach, the district has now offered affected employees an additional year of the identity protection service and eight hours of their regular work schedule to deal with tax fraud issues.
Connie Moise, director of Information Services, the department responsible for holding the accessed data, declined an in person interview but agreed to answer questions over email.
When asked how the individual gained access to the data, Moise stated, “They logged in to the internet-based student portal using a system account with credentials reserved for running system processes… The system account was used to run the HR payroll process that produces the W-2 files.”
Since the individual gained access through an authorized account, the security systems in place were bypassed.
After the breach, Information Services immediately changed the access credentials of the account used and hired a cyber-security firm to assist in an analysis of the systems to find evidence of any other unauthorized access
“To date, they have reported no new findings, although their work is not yet complete,” Moise stated.
The individual or group responsible for the hack have not been identified, though investigators currently believe they are operating out of Demoine, Iowa.
Since the breach many faculty have received letters from the IRS asking them to verify their identities for tax returns they’ve never filed. One faculty member who received this letter was Teresa Laughlin.
“I didn’t file my taxes yet, so I knew right away someone had tried to file my taxes,” Laughlin said.
To prove her identity and receive the forms to do her taxes by mail, Laughlin drove to the IRS office in Laguna Nigel, the closest one that would see her within the month.
There, she found that it was not just her who was affected.
“I spoke to the woman at the IRS and found out that not only was my social security number taken but so was my husbands, so it had gone a little bit further than I had expected,” Laughlin said.
Laughlin’s husband is not an employee of the College and the administration has claimed that only the social security numbers of employees were taken in the breach.
“I don’t know the ins and outs of how it happened, but my social security number has been taken. You can’t change your social security number,” Laughlin said. “Ultimately this is something that plagues us for forever. It’s unfortunate, but it’s not the end of the world.”
It is unclear how many employees have had their taxes filed fraudulently, but a significant number of reports from faculty have surfaced.
Susan Miller, who got the letter from the IRS in early March, said most of the faculty she knows have had their taxes filed or dealt with some other issue.
Miller not only had her taxes filed fraudulently, but also had two accounts for Amazon and a Walmart account opened in her name.
“I get alerts on my phone like, ‘How do you like the new camera?’ and it’s like ‘I never bought a camera,'” Miller said.
Miller found out about the accounts through the identity theft protection service provided by the college. “I’m glad I have that because if I didn’t there would be three extra accounts opened,” Miller said.
Miller added that even with the identity protection service, there is no way to know if accounts are being opened unless you get an alert.
“There’s no way to track everything that’s going on when your ID is stolen like that,” Miller said. “They could be buying feed for cows in Africa for all I know.”
One of her frustrations Miler encountered is the time it takes to deal with the issue. “It takes a significant amount of time and effort to protect your identity… spending lots of hours on the phone trying to track down accounts that were opened and freeze accounts,” Miller said.