Mike D’Onofrio reports:
Dozens of employees at New Jersey City University had their identities stolen and federal tax returns filed in their names after a security breach allowed access to their personal information., school and employee union officials confirmed.
Union leaders at the Jersey City university say as many as 39 union members have been the victims of identity theft after they learned that their federal tax returns were filed in their names and the ID thieves collected their tax refund checks.
[…]
Ellen Wayman-Gordon, a spokeswoman for the university, confirmed that employees have brought the issue to the university’s attention. The university issued a notice on March 26 warning faculty and staff about the security breach.
Wayman-Gordon also said that “no direct connection to the university had been identified.”
Read more on NJ.com.
So was it the university’s breach or not? They don’t seem to know for sure. Given we’ve also seen lots of reports of tax refund fraud involving doctors’ identity information where we don’t know the point of compromise or how the data were acquired, I’m not surprised that NJCU may not know whether it has been breached. Their March 26th letter to employees doesn’t seem to be online. Does anyone have a copy? And if so, does it mention whether they’ve called in an external forensics expert to investigate?
Of course, if the university’s network has been compromised and they haven’t figured it out, how many more employees’ information may still be at risk?