Two hundred seventy-five former and current employees had their W-2 and 1095-C information stolen last week when their accounts on Ceridian—the payroll tax management service with which Bowdoin contracts to provide tax reports to employees were accessed illegally.
The College has contracted with the credit protection company AllClear ID to provide an identity theft insurance policy, theft monitoring services and other services to affected employees. The College will cover the cost for families that choose to accept the service for two years. Bowdoin will soon be extending AllClear credit monitoring benefits to all employees and their dependents.
According to a secure resource page published on the Bowdoin Controller’s Office’s website, while the College became aware of the hack on March 30, 2016, there are indications that illegal access to employee accounts may have occurred over the course of several weeks beginning in early February.
Employees who had their tax returns diverted will eventually be able to get them back, but it may take some time.
“Everybody is working with the IRS. We’re told it takes between nine and 12 weeks to get this all resolved,” said Katy Longley, senior vice president for finance and administration and treasurer.
Longley said that the College believes whoever accessed W-2 information has had the Social Security numbers of employees for some time, and was waiting for tax season to use them.
“From what we understand about the criminal behavior is that people buy these books of Social Security numbers and they hold them for a couple years, then they use them,” said Longley. “They do it during tax season when it’s so busy that they think people won’t notice, and they try to get refunds.”
According to Longley, the College will explore other options for payroll tax reporting and has retained legal counsel.
For those affected, this data breach serves as a reminder that, though there are steps one can take towards protecting personal data, total security is impossible.
“Many aspects of my financial life have been compromised and, like those I know who have been similarly affected, I have spent hours trying to protect myself from the possible consequences of that,” Associate Professor of Computer Science Stephen Majercik wrote in an email to the Orient. “An incident like this really drives home how vulnerable we all are online. It makes you want to take yourself completely offline, but, of course, you can’t.”
Employee information was accessed when an unknown criminal entity used illegally obtained Social Security numbers coupled with employee ZIP codes to access the portal. Once inside, they reset account passwords, changed the email associated with the account and diverted W-2s and 1095-Cs to that new email. The perpetrators would have had access to Social Security numbers, addresses, taxable federal and state wages and taxes withheld via the W-2 forms. 1095-Cs include the names and last four Social Security number digits of any dependents claimed by employees on their health insurance. The College has no idea how employee Social Security numbers were obtained.
No student information was compromised.