The College notified 275 current and former employees on Thursday that their personal information, including W-2 forms and social security numbers, had been compromised. According to an email to all college employees, this data was illegally accessed through the self-service “See my W-2” portal operated by Ceridian HCM Inc., a third party company that manages payroll tax filings. Ceridian had problems with security breaches in the past, including one that prompted the Federal Trade Commission (FTC) to file a lawsuit against the company in 2011.

The College was contacted Tuesday by Maine Revenue Services who notified them that they had received a suspicious tax return filed with a valid W-2 from Bowdoin. The link to the portal has since been removed from the Bowdoin website. Senior Vice President for Finance and Administration and Treasurer Catherine Longley followed up with all employees shortly after, outlining steps employees could take to further protect their personal information.
Senior Vice President for Communications and Public Affairs Scott Hood said in an email to the Orient that the College had no reason to believe that any student information had been accessed. He also said that the college would not continue to use the portal that was compromised. 

Laboratory Instructor in Physics and Astronomy Kenneth Dennison was one of those whose information was illegally obtained. He found out when he received a tax account transcript that he did not request. Once he verified its authenticity it was clear that something had gone wrong. 

Associate Professor of Physics Mark Battle was also targeted. 

“A colleague told me on Tuesday of his experience and I commiserated, and then I went home and found on my table a letter from the IRS saying, ‘someone tried to file a tax return in your name is this really you?’ At which point I knew I had been bitten the same way he had,” he said. 
Though the breach only came to light this week, there is some evidence that whatever criminal entity accessed the data has had it for some time.

“They’ve had it for a while. The IRS told me that a tax return was first filed in my name on February 23,” said Battle. “There was one on February 23, another one on February 25, and one on March 23.”

The FTC’s lawsuit against Ceridian—which included a lawsuit against Lookout Services, a I-9 software company—was prompted after data was breached for over 65,000 consumers, 28,000 of which were Ceridian customers. Deeming Ceridian’s security procedures “unfair and deceptive,” the FTC required Ceridian to submit to independent security audits for the next 20 years every other year as part of the final settlement.