Breach, Compliance Management, Data Security, Privacy

Stanford University employees victim of tax fraud after breach at third-party vendor

The W-2 forms of some Stanford University employees were fraudulently downloaded from the university's third-party vendor, W-2Express, operated by the credit bureau Equifax.

How many victims?  The W-2 forms of some 3,500 Stanford employees were downloaded, though the school said some downloads might have been legitimate, but at least 600 were fraudulent.

What type of information? 2015 W-2s

What happened? Hackers infiltrated the systems of W-2Express, and downloaded W-2 forms of some Stanford University employees. Some of that information has already been used to file fraudulent tax returns. Stanford says that downloading the forms requires Social Security numbers and dates of birth of victims, which the school believes the hackers obtained elsewhere.

What was the response? Stanford's Department of Public Safety and the Information Security Office issued an alert to the university community and began investigating the breach, quickly discovering that it had occurred at W-2Express. The school is working with Equifax and Stanford's Department of Public Safety. It has begun to alert those who might have been affected. W-2Express has been temporarily disabled and will be brought back online only after a more secured authentication method is in place. Equifax will provide a year of free credit monitoring, fraud alert and other services for victims as well as up to $25,000 Identity Fraud Expense Coverage, and credit report access.

Details Stanford officials discovered the breach while investigating reports from a few employees that fraudulent tax returns had been filed. There is no evidence that Stanford was targeted since W-2Express's authentication system is used by many other organizations.

Quote “The perpetrators were already in possession of this personal information, which was subsequently used to log in and download the W-2 forms. At this time, we have no reason to believe that this sensitive information was obtained from Stanford systems,” Randy Livingston, vice president for business affairs and CFO, at Stanford, wrote in a letter posted on the school's website.

Source: Stanford University

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.