Latest tax-related data breach could affect employees and their children

Whiting-Turner, a Baltimore, Maryland-based construction company with contracts in both the private and federal sectors, says a recent security incident at a vendor hired to provide tax services could impact employees and their children.

A breach notification letter, submitted on April 6 to California and Vermont, says that on March 8, a vendor hired to perform tax services for Whiting-Turner noticed suspicious activity on their systems. Around the same time, Whiting-Turner employees reported fraudulent tax filings in their names.

The construction firm shutdown the vendor’s access to their systems and launched an investigation. The investigation is ongoing, but the notice was issued out of an abundance of caution, the company says.

“…we believe this incident may affect the security of your child’s information contained on that employee policyholder’s 2015 IRS Form 1095, which includes the following: name, date of birth, and Social Security number of any minor dependent,” a letter from the company to parents and guardians explains.

If the minor in question has a reason to file a tax return this year, the notification letter says they’ll need to contact the IRS and file an Identity Theft Affidavit (Form 14039). Parents are also being offered one year of credit monitoring for the children potentially impacted.

In a separate letter, addressed to employees, Whiting-Turner offers the same basic explanation, but notes that the incident affects current, former, or retired employees who received a 2015 W-2.

It isn’t clear if the incident reported by Whiting-Turner is related to the spike in email scams targeting W-2 information, but it certainly fits the bill.

$2.3 billion in losses:

According to stats recently released by the FBI, Phishing attacks targeting W-2 data, also known as Business Email Compromise/Correspondence attacks, have amounted to more than $2.3 billion in losses since 2013. Since 2015, the agency has seen a 270-percent increase in the number of identified victims and exposed loss.

The vendor used by Whiting-Turner isn’t named in the notification letter, however on April 4, the Maryland Comptroller announced the suspension of electronic and paper tax return processing from more than 60 organizations that operate within the state.

In many cases, criminals will use stolen tax information and file fraudulent returns with smaller tax preparation firms  in order to avoid scrutiny. However, once that firm’s services have been overly abused, the criminals are forced to look elsewhere. Some of the nation’s largest tax services have been abused by such schemes – no one is immune.

Recap:

In the first quarter of 2016, more 41 organizations reported Phishing attacks targeting employee W-2 records. Since the tracker on Salted Hash went live, others have started tracking the W-2 scams as well, including Cloudmark. According to an update on their blog, the company says at least 60 organizations have been victimized by these targeted attacks.

As the second quarter of the year begins, a new crop of reported victims has already emerged.

• Hutchinson Community College reports that W-2 information for 1,357 employees was compromised. But the school doesn’t say if it was Phishing related.
• Ash Brokerage, in Fort Wayne, Indiana, says a Phishing email compromised W-2 data for 423 employees.
• New York Law firm Proskauer Rose reported 2015 W-2 data was compromised after someone pretended to be a senior executive and requested such data.
• Pivotal Software issued a notification on March 31 that an email impersonating the company’s CEO, Rob Mee, requested 2015 W-2 data, which was then released by an employee who believed the request was legitimate.

After seeing a trend in recent cases, one expert spotted an obvious flaw in the workflow at many of the victimized organizations.

“The employee shouldn’t have been able to access that much data without some sort of oversight kicking in. The fact that a single employee, for any reason, could grab so much data and simply send it to anyone, regardless of who they think that person is, is a scary prospect when you stop to think about it,” remarked Jonathan Sander, vice president at Lieberman Software, in an email.

“Of course, you can also ask why an employee would be fooled into thinking that an executive would be making such a sweeping request. That raises the question of how executives expect to be able to give directions. Executives need to lead by example, and if their example has made employees feel that the CEO may in fact ask for such a huge dump of data without qualification or process then that is an issue.”

Updated on 8-APRIL-2016 to add a link to a tracking blog published by Cloudmark.