At least 600 current and former Stanford employees are vulnerable to tax fraud following the illegitimate download of their W-2 forms through a third-party service.
The security breach is presumably responsible for a rash of tax scam cases disclosed to Stanford, starting on April 1. As of April 7, 23 Stanford employees had reported phony tax filings to the University for this year. That number is still growing as more employees file their taxes, although it remains under 100, according to Stanford spokesperson Lisa Lapin. Lapin could not give a more specific number.
Stanford began investigating the fraud issue earlier this month after several employees reported unauthorized filing of their tax returns. On April 4, the Stanford Department of Public Safety (SUDPS) sent out a University-wide “Community Alert” advising general caution about tax fraud and identity theft.
“At the time of the University alert, it did not appear that the University was being specifically targeted,” wrote Randy Livingston in an April 8 notice in the Stanford Report.
But upon further examination, University officials discovered that the issue was much larger: A perpetrator or group of perpetrators had used hundreds of Stanford employees’ Social Security numbers and dates of birth to download W-2 forms from the vendor W-2Express, which the University uses to make tax forms accessible online.
Stanford was not the only W-2Express client targeted. Other employers using the vendor are also currently dealing with data breaches.
According to Livingston, nothing so far indicates that the personal information required to access individuals’ W-2 forms was acquired through Stanford’s own systems. How scammers could have gotten hold of this information for so many Stanford-affiliated individuals is currently under investigation — as is the time at which the downloads occurred, Lapin said.
What the University does know is that close to 20 percent of about 3,500 total W-2 downloads via the W-2Express system were likely fraudulent.
“An affected current or former employee may not yet be aware that his/her records have been compromised,” Livingston wrote.
Early this week, the University will email all individuals whose W-2 forms were accessed through W-2Express — regardless of whether the downloads are believed legitimate or not — in order to alert all potential fraud victims.
Livingston said that employees should file their taxes as usual and then contact Stanford’s Financial Support Center if the government informs them that their forms have been subject to fraud. Stanford’s Financial Support Center can be called at (650) 723-2772 or emailed at fin help ‘at’ stanford.edu.
Equifax, the credit bureau that runs W-2Express, will provide additional support, supplying all Stanford affiliated-fraud victims with credit monitoring, fraud alert services and up to $25,000 to cover expenses of the identity theft.
Regardless of whether one has been scammed, the Stanford Department of Public Safety (SUDPS) has advised heightened awareness. In its initial April 4 cautionary email, the department noted that Stanford’s Information Security Office website has guidelines for Stanford community members on avoiding identity theft. The email also shared an Internal Revenue Service (IRS) campaign intended to help individuals protect their personal financial data.
Currently, Stanford is working with Equifax to manage the fraudulent downloads. In the meantime, W-2Express has been disabled; it will return once a better authentication system “that does not rely on personally identifiable information” is created, Livingston said.
However, Stanford employees can continue to safely use Axess, another online system that provides tax forms, among other services. Axess documents are protected by a different, two-step authentication process.