Beazley Breach Solutions has put together some tips to be mindful of during this time of year (or any time of year for that fact!)
The IRS reports examples of fraudulent requests like these:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of employees wage and tax statements for 2015. I need them in PDF file type; you can send it as an attachment. Kindly prepare the lists and email them to me asap.
To minimize the chance of a successful attack, here are some steps you can take:
- If you receive an email request for sensitive employee data, especially anything that involves Social Security numbers or banking or other financial data, pick up the phone to confirm it.
- Although phishing attacks are getting more sophisticated, stay alert to clues that a message is phish-y: written with unusual phrasing; addressed to your full or legal name instead of your nickname; or appearing to be sent by someone who wouldn't usually request this type of information.
- Double-check email domain names by looking at them carefully or hovering your cursor over them to see what the destination email really is.
You may also receive phone calls, emails, texts and popups on your computer at home or at work asking you to give up personal information. These requests may be accompanied with threats of legal action.
Please remember: NO LEGITIMATE organization will ask you for personal information or passwords over the phone or through electronic communication.
The best thing to do is to hang up the phone and delete emails without opening them. DO NOT GIVE ANYONE YOUR PERSONAL INFORMATION.
If something doesn't sound right to you, contact the office or institution by phone to verify the legitimacy of the call or email.
Contact Christine Damrose-Mahlmann, TCC's privacy officer, if you have questions or need assistance. Email firstname.lastname@example.org or call her at 757-822-1298.
Additional questions and answers will be posted here as further information is received. Send your questions to email@example.com
Employee Response Hotline to be discontinued
Updated July 28, 2016
The TCC Employee Response Hotline, the toll-free number that was established immediately in the wake of the identity theft incident, will be discontinued as of July 31.
Deadline for credit monitoring has passed
Updated July 28, 2016
The deadline to enroll in Experian’s ProtectMyID Alert was July 8.
If you missed the deadline, see the tips below to help you take advantage of no-cost services through the major credit-reporting agencies: Experian, TransUnion and Equifax.
Experian credit monitoring is for 24 months
Updated April 26, 2016
When you sign up for the Experian ProtectMyID credit monitoring service, the website may tell you the monitoring is free for 12 months.
TCC is funding an additional 12 months of monitoring. Employees and former employees will be receiving 24 months of free credit monitoring.
Summary of the incident
An unauthorized individual, impersonating a TCC executive, contacted a TCC employee via email requesting W-2 information for TCC employees.
Later that day, before it was determined that the request was fraudulent, the employee provided the information. The file contained the names of individual employees, their Social Security numbers, and 2015 compensation and deduction information.
Who is affected?
Current and former full-time, part-time wage, adjunct and student employees, including work-study students—anyone who received taxable wages from TCC for 2015.
What is TCC doing?
Updated April 26, 2016
The college is operating on several fronts in this matter.
TCC is working with a reputable company so that you will be able to access 24 months of free credit monitoring from Experian and have a toll-free number you can call if you have a question.
To reach the TCC Employee Response Hotline, call
1-844-804-4370 (toll free)
Monday through Friday 9 a.m. to 9 p.m.
You should have received a letter in the mail at your home address with instructions on setting up free credit monitoring.
TCC’s leadership is also working with investigators and state authorities to identify the means of this attack.
Further, President Kolovani has directed senior staff to implement advanced cybersecurity training for all employees who handle sensitive data.
How will communication be handled?
You will receive official written communications at home. This web page will be updated as needed. There may be additional emails from President Kolovani or other members of senior staff.
Additionally, President Kolovani will address the data breach and answer questions during the following town hall meetings:
Workforce Solutions Center
Wednesday, April 6, 9 a.m.
Friday, April 8, 2 p.m.
Green District Administration Building
College Board Room, 6th floor
Monday, April 11, 1 p.m.
Chesapeake Campus Student Center, Chesapeake Bay Room
Campus Assistance Center schedule extended
Updated April 25, 2016
The Campus Assistance Centers, which were established to help employees complete IRS and credit agency notifications, will operate for an additional week from April 26 to April 29.
You can get help on all campuses, at the District Administration Building and at the Center for Workforce Solutions.
Updated July 18, 2016
If you suspect that someone has filed a fraudulent tax return using your information, we recommend contacting the IRS Identity Protection Specialized Unit at 800-908-4490. They are available Monday through Friday from 7 a.m. to 7 p.m.
For additional information from the IRS, visit www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft
Starting in December 2016, personal identification numbers (PINs) will be issued by the IRS and the Virginia Department of Taxation to those taxpayers who have been identified as victims of identity theft.
The PIN will be used to verify that the taxpayer is the rightful filer of the return.
To ensure timely processing, taxpayers must use the PIN on any 2016 individual income returns filed during 2017.
PINs will be valid for one calendar year. A new PIN will be issued to affected taxpayers each year by late December.
At this time neither agency is able to provide all taxpayers with PINs upon request.
Updated April 8, 2016
The exposed information is found on a W-2, including:
- Employee name
- Social Security number
- Employee Payline number
- Federal wages and tax
- Social security wages and tax
- State wages and tax
- Deductions for health insurance, retirement funds and dependent care
The file did NOT contain address, date of birth, spouse information, banking information or email addresses.
This image shows the data that was exposed:
Updated April 26, 2016
Typically, companies provide 12 months of credit monitoring in identity theft incidents.
However, TCC is funding a second 12 months of monitoring for our employees and former employees.
No matter what the website says when you sign up for Experian ProtectMyID, you will have 24 months of monitoring.
While spouses’ information was not included in the files sent in the email, we recommend that they follow the steps we have provided to help protect themselves against the misuse of their information.
The identity theft disclosed the amount of contributions, but did not disclose our retirement account numbers, plan information, or the vendors.
Nonetheless, the Benefits team in HR has alerted our retirement plan vendors, including the Virginia Retirement System and the state’s third party administrator for 403(b) plans, to the data breach.
Additionally, the Benefits team will verify any loans, withdrawals, or refunds on employee and former employee retirement accounts. They will contact the employee or former employee to ensure it is a legitimate request before processing.
The retirement plan providers themselves can take additional measures to protect both your personal information as well as your assets.
If you are interested in having your 403(b) and/or 457(b) plan provider take additional measures, please contact your account provider(s) directly to alert them you have had some personally identifiable information compromised. Discuss with them the additional measures they can take and how those measures may affect accessing your account going forward.
No, the identity theft involved only 2015 TCC employee information.
Yes, we have reported this incident to law enforcement, including the FBI and State Police, and are cooperating with their ongoing investigation.
The initial email from the unauthorized individual requesting employee information was received on March 2, 2016. The information was sent later that day.
Below is a full timeline associated with the incident:
- March 1: IRS Alert to Payroll and HR Professionals to Phishing Scheme involving W-2s (The college has no indication of receipt of this notification).
- March 2: TCC identity theft incident occurred.
- March 10: TCC Help Desk emailed MOAT Alerts Newsletter that contained general information on the subject of phishing threats.
- March 23: VCCS System Office communication to the presidents alerting of this nationwide scam.
- March 24: TCC incident discovered.
- March 25: TCC president emailed college community.
Updated April 11, 2016
Whether or not you suspect that your personal information has been used to file a false tax return or for some other fraudulent purpose, your information has been compromised. Do the following:
1. Contact one of the three major credit-reporting agencies — Equifax, TransUnion, or Experian — to place a fraud alert on your credit file. The one you place a fraud alert with will contact the other two. Renew the fraud alert every 90 days.
- Equifax: https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp
- TransUnion: https://fraud.transunion.com/fa/fraudAlert/landingPage.jsp
- Experian: https://www.experian.com/fraud/center.html
You can request a copy of your current credit report when you set up the fraud alert.
2. Complete and submit IRS Form 4506-T, Request for Transcript of Tax Return for calendar year 2015. This tax transcript will allow you to determine if your taxes have been fraudulently filed.
3. Complete and submit IRS Form 14039, Identify Theft Affidavit. It alerts the IRS that you have reason to believe your personal information may be used fraudulently.
The form and further information are available here.
Alternatively, you may call the IRS Identity Protection Specialized Unit toll-free at 1-800-908-4490.
4. Place an alert with ChexSystems. Chex Systems, Inc. is a consumer-reporting agency governed by the federal Fair Credit Reporting Act (FCRA) and other laws (the Federal Trade Commission enforces the FCRA). It provides account verification services to its financial institution members to aid them in identifying account applicants who may have a history of account mishandling (for example, people whose accounts were overdrawn and then closed by them or their bank).
In short, ChexSystems is like the credit reporting agencies (Equifax, Experian, TransUnion) but specific to checking/savings history instead of credit/loan history.
ChexSystems has two protections available:
- Consumer Report Security Alert: This puts a flag on your consumer file stating the banking institution needs to take additional steps to confirm it is you who is initiating the action (much like placing a fraud alert with the credit reporting agencies). You may request a 90-day alert, which is the default, though you may extend it to 7 years if you have an affidavit of fraud.
To set the Consumer Report Security Alert, call 888-478-6536 or use the online system.
- Consumer Report Security Freeze: This will prohibit ChexSystems from releasing any information in your consumer file without your express authorization, meaning you have to contact ChexSystems and lift the freeze in order for your information to be released (much like placing a freeze with the credit reporting agencies).
You should be aware that taking advantage of this right may delay or prevent timely approval from any user of your consumer report. Any the third party that you want to do business with will receive a message indicating that you have blocked your information.
To set the Consumer Report Security Freeze, call 800-887-7652 or use the online system.
Updated April 4, 2016
If you believe your personal information has already been used fraudulently:
Report the identity theft to the Federal Trade Commission at https://www.idtheft.gov. You can also call 1-877-IDTHEFT[CDM1] .
File an identity-theft report with your local police or sheriff’s department. The police report is necessary to show that you made an official report of identity theft.
Report the theft of your Social Security number to the Internet Crime Complaint Center at https://www.ic3.gov/. The report will be distributed to the relevant federal, state and local authorities.
Complete and submit IRS Form 14039, Identity Theft Affidavit.
Contact the Virginia Department of Taxation. For details on how to report your identity theft to the state, visit: www.tax.virginia.gov/content/tax-related-identity-theft-prevention
Log in or establish an account with the Social Security Administration at www.socialsecurity.gov. There, you can review your Social Security record for inconsistencies. Details are at https://faq.ssa.gov/link/portal/34011/34019/Article/3792/What-should-I-do-if-I-think-someone-is-using-my-Social-Security-number
You may also want to establish a “credit freeze” with the credit reporting agencies.
The Federal Trade Commission offers a good resource on what to do in case of identity theft at http://www.consumer.ftc.gov/features/feature-0014-identity-theft.
In addition, in order for us to maintain a record of all employees whose private information is misused, report your incident on this web form: https://forms.tcc.edu/identity-theft-report
Be sure to keep your report general. Do not include sensitive or personal information.
Updated April 7, 2016
You can make a police report for identity theft as soon as your information has been used fraudulently, for example, to file taxes, open an account or attempt to open an account.
Note that your personal information has to be fraudulently used, not just acquired.
When making your report, reference Virginia State Police report 16-7705 (date of report 3/28/16).
This number documents the reporting of the data breach and, if a local department follows up on the complaint, they will be able to coordinate with the State Police using that report number.
Virginia Beach, Chesapeake and Norfolk have Economic Crime units; if you live elsewhere, reports can be made to the detective bureau in your locality.
You must go in person to the police department to make a report.
- Chesapeake Economic Crime Unit: 757-382-6161
- Norfolk Economic Crime Unit: 757-664-7018
- Portsmouth Detective Bureau: 757-393-8536
- Virginia Beach Economic Crime Unit: 757-385-8101
- Suffolk Detective Bureau: 757-925-1439
- Hampton Detective Bureau: 757-727-6530
- Newport News Detective Bureau: 757-928-4200
A fraud alert puts creditors on notice that you may be a victim of fraud. There are two types of fraud alerts: an initial alert and an extended alert.
You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. The initial alert stays on your account for 90 days. You can extend it another 90 days by contacting the credit agency.
An extended alert can be placed on your credit report if you have already been the victim of identity theft. Generally, a police report is required. An extended fraud alert stays on your credit report for seven years.
Contact any of the credit reporting agencies to place fraud alerts on your credit reports.
Also called a “security freeze,” a credit freeze prevents any new credit from being opened under your name without the use of a PIN that is issued to you when you initiate the freeze.
If you apply for new credit, such as a car loan, the lender will not be able to access your credit records unless you temporarily lift the freeze.
There is a small fee for each credit reporting agency to establish credit freezes. You must contact the three agencies separately to set up a credit freeze.
Some TCC employees have reported encountering problems with their personal information prior to March 2 or with information unrelated to the March 2 incident. The source of these problems is undetermined.
There have been other high-profile data breaches in recent months in which our employees may have been affected, specifically the hack at Anthem Blue Cross Blue Shield and the cybersecurity incidents affecting the federal government's Office of Personnel Management.
At TCC, we are aware only of the data stolen on March 2. We have notified the VCCS and law enforcement to the pre-March 2nd problems our employees have reported.
Yes. The IRS will send you a redacted copy of a fraudulent return if you are the primary or secondary taxpayer and if you supply certain information.
- Your name and SSN
- Your mailing address
- Tax year(s) of the fraudulent return(s) you are requesting
- The following statement, with your signature beneath: “I declare that I am the taxpayer.”
Your letter must be accompanied by a copy of your government-issued identification (for example, a driver’s license or passport).
Full instructions and delivery address can be found here: www.irs.gov/Individuals/Instructions-for-Requesting-Copy-of-Fraudulent-Returns
If you have already successfully filed your tax return, it's still a good idea to submit IRS Form 14039, Identify Theft Affidavit. It alerts the IRS that you have reason to believe your personal information may be used fraudulently.
Yes. As a result of the Anthem data breach, Anthem contracted with AllClear ID to provide credit monitoring and identity theft repair services for two years at NO COST to Anthem members whose personal information was included in the breach.
We are still within that two-year window and eligible for the services. Anthem participants were automatically enrolled in the Identity Repair Assistance benefits.
Members could sign up for additional services such as credit monitoring, child identity protection, identity theft insurance, identity theft monitoring/fraud detection and phone alerts.
The following is a link to the letter sent out in February 2015 that provides information pertaining to the services available through the Anthem data breach.
Those employees and covered family members who were affected by the Anthem breach have access to these services.
Yes, two in particular.
Anthem and Aetna, the two providers offering state health insurance, provide the following services through the Employee Assistance Program (EAP):
- Free Credit Monitoring
- Identity Theft Recovery
- Legal/Financial Consultations
The EAP is available to full-time employees enrolled in state health insurance. The program can also assist you and family members in dealing with the stress associated with this situation.
Some employees are enrolled in pre-paid legal plans such as Legal Resources and Legal Shield, which offer identity theft services. Contact your provider directly to see what services are available under your plan.
Contact the Benefits team in HR if you have any questions:
- M. Nannette Richardson, Employee Compensation and Benefits Manager, firstname.lastname@example.org, 822-1737
- Michelle McBeth, Benefits Specialist, employees last names beginning A-J, email@example.com, 822-1706
- Angela Vann, Benefits Specialist, employees last names beginning K-Z, firstname.lastname@example.org, 822-1916
Or contact Beth Lunde, associate vice president for Human Resources at email@example.com, 822-1711
No. TCC is contracting with a trusted vendor to provide free credit monitoring services.
It’s small comfort, but TCC isn’t alone. Cyber threats of all kinds are a major problem.
Incidents of tax scams – thieves filing false returns using stolen data — have increased 400 percent, according to a recent article in USA Today. Typically, these involve “phishing”: You receive an email that appears to be official asking you to confirm some personal information.
This incident is a case of “spear phishing,” in which a particular recipient is targeted for a fake email. This is also a widespread problem. Our email addresses are public, and it’s not hard for someone to create a “spoof” account in an attempt to access sensitive information.
This article provides the anatomy of a spear phishing scam, and lists 55 companies and organizations, including TCC, that have fallen victim.
No amount of technology will prevent phishing, spear phishing or other kinds of attempted electronic fraud.
The old saying, “Look before you leap,” applies here. If an email sounds strange or lacks the official TCC email signature — even though it appears to be from a close colleague — contact the supposed “sender” to authenticate it.
Carefully check credit reports for accounts or inquiries you don’t recognize. If you see anything you do not understand, contact the credit agency immediately.
If you find suspicious activity that doesn’t reflect your personal account activity, consider filing a police report and get a copy of it. You may need to give copies of the police report to creditors to clear up credit records.
Yes. Preliminary notification letters were sent on March 30 to 550 former employees. The formal notification letters are forthcoming.
New: April 14, 2016
Yes, that has happened. Here's what you should do.
- DO NOT cash the check!
- Take a picture of the front and the back of the check.
- Send or deliver the check and any correspondence that comes with it to Christine Damrose-Mahlmann, TCC's privacy officer, so it can be provided to the IRS for investigation.
The Virginia Department of Taxation tells us that victims of identity theft will be issued PINs this fall to enable them to securely file their 2016 state tax returns.
TCC's privacy officer is Christine Damrose-Mahlmann. Reach her via email at firstname.lastname@example.org or postal mail at:
Tidewater Community College
Office of the President
121 College Place
Norfolk, VA 23510
You can also call her at 757-822-1298.
Updated January 12, 2017
Last month, Los Angeles Valley College (LAVC) was hit with a ransomware attack, forcing the California Community College system to pay an unidentified hacker nearly $28,000 to retrieve stolen data. The investigation is still in the early stages, and as of now no breach data was identified.
LAVC consulted with its leadership, outside cybersecurity experts and law enforcement before making the payment. “It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” according to a statement. The attack has disrupted many computer, online, e-mail and voicemail systems.
The United States Department of Justice estimates that approximately 4,000 ransomware attacks occurred every day in the U.S. in 2016. Education is the sector most targeted by ransomware, according to a recent report from security analyst BitSight, which found that 13 percent of institutions experienced ransomware attacks last year.