Tidewater Community College Identity Theft Incident

Updated Aug. 8, 2016

Tidewater Community College continues its commitment to transparency and communication in its response to the March 2016 identity theft incident. See what's been done so far.

Additional questions and answers will be posted here as further information is received. Send your questions to faq@tcc.edu

Employee Response Hotline to be discontinued

Updated July 28, 2016

The TCC Employee Response Hotline, the toll-free number that was established immediately in the wake of the identity theft incident, will be discontinued as of July 31.

Any questions you may have should be directed to either privacy@tcc.edu or faq@tcc.edu.

Deadline for credit monitoring has passed

Updated July 28, 2016

The deadline to enroll in Experian’s ProtectMyID Alert was July 8.

If you missed the deadline, see the tips below to help you take advantage of no-cost services through the major credit-reporting agencies: Experian, TransUnion and Equifax.

Go to ProtectMyID login page

Experian credit monitoring is for 24 months

Updated April 26, 2016

When you sign up for the Experian ProtectMyID credit monitoring service, the website may tell you the monitoring is free for 12 months.

TCC is funding an additional 12 months of monitoring. Employees and former employees will be receiving 24 months of free credit monitoring.

Summary of the incident

An unauthorized individual, impersonating a TCC executive, contacted a TCC employee via email requesting W-2 information for TCC employees.

Later that day, before it was determined that the request was fraudulent, the employee provided the information. The file contained the names of individual employees, their Social Security numbers, and 2015 compensation and deduction information.

Read President Kolovani's March 25 message to employees

Who is affected?

Current and former full-time, part-time wage, adjunct and student employees, including work-study students—anyone who received taxable wages from TCC for 2015.

​What is TCC doing?

Updated April 26, 2016

The college is operating on several fronts in this matter.

TCC is working with a reputable company so that you will be able to access 24 months of free credit monitoring from Experian and have a toll-free number you can call if you have a question.

To reach the TCC Employee Response Hotline, call 

1-844-804-4370 (toll free)
Monday through Friday 9 a.m. to 9 p.m.

You should have received a letter in the mail at your home address with instructions on setting up free credit monitoring.

TCC’s leadership is also working with investigators and state authorities to identify the means of this attack.

Further, President Kolovani has directed senior staff to implement advanced cybersecurity training for all employees who handle sensitive data.

How will communication be handled?

You will receive official written communications at home. This web page will be updated as needed. There may be additional emails from President Kolovani or other members of senior staff.

Additionally, President Kolovani will address the data breach and answer questions during the following town hall meetings:

Workforce Solutions Center
Wednesday, April 6, 9 a.m.
Classrooms 114-116

District Administration
Friday, April 8, 2 p.m.
Green District Administration Building
College Board Room, 6th floor

Chesapeake Campus
Monday, April 11, 1 p.m.
Chesapeake Campus Student Center, Chesapeake Bay Room

Campus Assistance Center schedule extended

Updated April 25, 2016

The Campus Assistance Centers, which were established to help employees complete IRS and credit agency notifications, will operate for an additional week from April 26 to April 29.

You can get help on all campuses, at the District Administration Building and at the Center for Workforce Solutions.

See the schedule

Additional questions

How might this impact my 2016 tax filing in 2017?

Updated July 18, 2016

If you suspect that someone has filed a fraudulent tax return using your information, we recommend contacting the IRS Identity Protection Specialized Unit at 800-908-4490. They are available Monday through Friday from 7 a.m. to 7 p.m.

For additional information from the IRS, visit www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

Starting in December 2016, personal identification numbers (PINs) will be issued by the IRS and the Virginia Department of Taxation to those taxpayers who have been identified as victims of identity theft.

The PIN will be used to verify that the taxpayer is the rightful filer of the return.

To ensure timely processing, taxpayers must use the PIN on any 2016 individual income returns filed during 2017.

PINs will be valid for one calendar year. A new PIN will be issued to affected taxpayers each year by late December. 

At this time neither agency is able to provide all taxpayers with PINs upon request.

Exactly what information was compromised?

Updated April 8, 2016

The exposed information is found on a W-2, including:

  • Employee name
  • Social Security number
  • Employee Payline number
  • Federal wages and tax
  • Social security wages and tax
  • State wages and tax
  • Deductions for health insurance, retirement funds and dependent care


The file did NOT contain address, date of birth, spouse information, banking information or email addresses.

This image shows the data that was exposed:

Screen shot of W-2 data fields

When I signed up for Experian ProtectMyID, the website said the credit monitoring was free for only the first year. I thought we were getting two years.

Updated April 26, 2016

Typically, companies provide 12 months of credit monitoring in identity theft incidents.

However, TCC is funding a second 12 months of monitoring for our employees and former employees.

No matter what the website says when you sign up for Experian ProtectMyID, you will have 24 months of monitoring.

Should my spouse be concerned?

While spouses’ information was not included in the files sent in the email, we recommend that they follow the steps we have provided to help protect themselves against the misuse of their information.

Our retirement contributions were in the compromised data. Could my accounts be in danger?

The identity theft disclosed the amount of contributions, but did not disclose our retirement account numbers, plan information, or the vendors.

Nonetheless, the Benefits team in HR has alerted our retirement plan vendors, including the Virginia Retirement System and the state’s third party administrator for 403(b) plans, to the data breach.

Additionally, the Benefits team will verify any loans, withdrawals, or refunds on employee and former employee retirement accounts. They will contact the employee or former employee to ensure it is a legitimate request before processing.

The retirement plan providers themselves can take additional measures to protect both your personal information as well as your assets. 

If you are interested in having your 403(b) and/or 457(b) plan provider take additional measures, please contact your account provider(s) directly to alert them you have had some personally identifiable information compromised. Discuss with them the additional measures they can take and how those measures may affect accessing your account going forward.

Did the incident involve non-employee or independent contractor payment information?

No, the identity theft involved only 2015 TCC employee information.

Was this incident reported to the police or other law enforcement authorities?

Yes, we have reported this incident to law enforcement, including the FBI and State Police, and are cooperating with their ongoing investigation.

When did the identity theft incident occur?

The initial email from the unauthorized individual requesting employee information was received on March 2, 2016. The information was sent later that day.

Below is a full timeline associated with the incident:

  • March 1: IRS Alert to Payroll and HR Professionals to Phishing Scheme involving W-2s (The college has no indication of receipt of this notification).
  • March 2: TCC identity theft incident occurred.
  • March 10: TCC Help Desk emailed MOAT Alerts Newsletter that contained general information on the subject of phishing threats.
  • March 23: VCCS System Office communication to the presidents alerting of this nationwide scam.
  • March 24: TCC incident discovered.
  • March 25: TCC president emailed college community.
     
What should I do?

Updated April 11, 2016

Whether or not you suspect that your personal information has been used to file a false tax return or for some other fraudulent purpose, your information has been compromised. Do the following:

1. Contact one of the three major credit-reporting agencies — Equifax, TransUnion, or Experian — to place a fraud alert on your credit file. The one you place a fraud alert with will contact the other two. Renew the fraud alert every 90 days.


You can request a copy of your current credit report when you set up the fraud alert.

2. Complete and submit IRS Form 4506-T, Request for Transcript of Tax Return for calendar year 2015. This tax transcript will allow you to determine if your taxes have been fraudulently filed.
 
3. Complete and submit IRS Form 14039, Identify Theft Affidavit. It alerts the IRS that you have reason to believe your personal information may be used fraudulently.

The form and further information are available here: https://www.irs.gov/Help-&-Resources/Tools-&-FAQs/FAQs-for-Individuals/Frequently-Asked-Tax-Questions-&-Answers/IRS-Procedures/Reporting-Fraud/Reporting-Fraud

Alternatively, you may call the IRS Identity Protection Specialized Unit toll-free at 1-800-908-4490.

4. Place an alert with ChexSystems. Chex Systems, Inc. is a consumer-reporting agency governed by the federal Fair Credit Reporting Act (FCRA) and other laws (the Federal Trade Commission enforces the FCRA). It provides account verification services to its financial institution members to aid them in identifying account applicants who may have a history of account mishandling (for example, people whose accounts were overdrawn and then closed by them or their bank).

In short, ChexSystems is like the credit reporting agencies (Equifax, Experian, TransUnion) but specific to checking/savings history instead of credit/loan history.

ChexSystems has two protections available:

  • Consumer Report Security Alert: This puts a flag on your consumer file stating the banking institution needs to take additional steps to confirm it is you who is initiating the action (much like placing a fraud alert with the credit reporting agencies). You may request a 90-day alert, which is the default, though you may extend it to 7 years if you have an affidavit of fraud.

 

To set the Consumer Report Security Alert, call 888-478-6536 or use the online system.

  • Consumer Report Security Freeze: This will prohibit ChexSystems from releasing any information in your consumer file without your express authorization, meaning you have to contact ChexSystems and lift the freeze in order for your information to be released (much like placing a freeze with the credit reporting agencies).

 

You should be aware that taking advantage of this right may delay or prevent timely approval from any user of your consumer report. Any the third party that you want to do business with will receive a message indicating that you have blocked your information.

To set the Consumer Report Security Freeze, call 800-887-7652 or use the online system.

And what if my information has been used in identity theft or to file a tax return?

Updated April 4, 2016

If you believe your personal information has already been used fraudulently:

Report the identity theft to the Federal Trade Commission at http://www.idtheft.gov. You can also call 1-877-IDTHEFT[CDM1] .
 
File an identity-theft report with your local police or sheriff’s department. The police report is necessary to show that you made an official report of identity theft.
 
Report the theft of your Social Security number to the Internet Crime Complaint Center at http://www.ic3.gov/. The report will be distributed to the relevant federal, state and local authorities.
 
Complete and submit IRS Form 14039, Identity Theft Affidavit.

Contact the Virginia Department of Taxation. For details on how to report your identity theft to the state, visit: www.tax.virginia.gov/content/tax-related-identity-theft-prevention

Log in or establish an account with the Social Security Administration at www.socialsecurity.gov. There, you can review your Social Security record for inconsistencies. Details are at https://faq.ssa.gov/link/portal/34011/34019/Article/3792/What-should-I-do-if-I-think-someone-is-using-my-Social-Security-number

You may also want to establish a “credit freeze” with the credit reporting agencies.

The Federal Trade Commission offers a good resource on what to do in case of identity theft at http://www.consumer.ftc.gov/features/feature-0014-identity-theft.

In addition, in order for us to maintain a record of all employees whose private information is misused, report your incident on this web form: https://forms.tcc.edu/identity-theft-report

Be sure to keep your report general. Do not include sensitive or personal information.

What’s the process for making a police report?

Updated April 7, 2016

You can make a police report for identity theft as soon as your information has been used fraudulently, for example, to file taxes, open an account or attempt to open an account.

Note that your personal information has to be fraudulently used, not just acquired.

When making your report, reference Virginia State Police report 16-7705 (date of report 3/28/16).

This number documents the reporting of the data breach and, if a local department follows up on the complaint, they will be able to coordinate with the State Police using that report number.

Virginia Beach, Chesapeake and Norfolk have Economic Crime units; if you live elsewhere, reports can be made to the detective bureau in your locality.

You must go in person to the police department to make a report.

  • Chesapeake Economic Crime Unit: 757-382-6161
  • Norfolk Economic Crime Unit: 757-664-7018
  • Portsmouth Detective Bureau: 757-393-8536
  • Virginia Beach Economic Crime Unit: 757-385-8101
  • Suffolk Detective Bureau: 757-925-1439
  • Hampton Detective Bureau: 757-727-6530
  • Newport News Detective Bureau: 757-928-4200
What is the difference between a fraud alert and an extended fraud alert?

A fraud alert puts creditors on notice that you may be a victim of fraud. There are two types of fraud alerts: an initial alert and an extended alert.

You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. The initial alert stays on your account for 90 days. You can extend it another 90 days by contacting the credit agency.

An extended alert can be placed on your credit report if you have already been the victim of identity theft. Generally, a police report is required. An extended fraud alert stays on your credit report for seven years.

Contact any of the credit reporting agencies to place fraud alerts on your credit reports.

What is a credit freeze?

Also called a “security freeze,” a credit freeze prevents any new credit from being opened under your name without the use of a PIN that is issued to you when you initiate the freeze.

If you apply for new credit, such as a car loan, the lender will not be able to access your credit records unless you temporarily lift the freeze.

There is a small fee for each credit reporting agency to establish credit freezes. You must contact the three agencies separately to set up a credit freeze.

What if I encountered problems with my personal information before March 2?

Some TCC employees have reported encountering problems with their personal information prior to March 2 or with information unrelated to the March 2 incident. The source of these problems is undetermined.

There have been other high-profile data breaches in recent months in which our employees may have been affected, specifically the hack at Anthem Blue Cross Blue Shield and the cybersecurity incidents affecting the federal government's Office of Personnel Management.

At TCC, we are aware only of the data stolen on March 2. We have notified the VCCS and law enforcement to the pre-March 2nd problems our employees have reported.

I want to see how my information was used in a fraudulent return. Can I get a copy?

Yes. The IRS will send you a redacted copy of a fraudulent return if you are the primary or secondary taxpayer and if you supply certain information.

  • Your name and SSN
  • Your mailing address
  • Tax year(s) of the fraudulent return(s) you are requesting
  • The following statement, with your signature beneath: “I declare that I am the taxpayer.”

Your letter must be accompanied by a copy of your government-issued identification (for example, a driver’s license or passport).

Full instructions and delivery address can be found here: www.irs.gov/Individuals/Instructions-for-Requesting-Copy-of-Fraudulent-Returns

If I have already filed federal and state taxes, do I still need to contact the IRS?

If you have already successfully filed your tax return, it's still a good idea to submit IRS Form 14039, Identify Theft Affidavit. It alerts the IRS that you have reason to believe your personal information may be used fraudulently.

I have Anthem Blue Cross/Blue Shield. Didn’t we get credit monitoring after that breach last year?

Yes. As a result of the Anthem data breach, Anthem contracted with AllClear ID to provide credit monitoring and identity theft repair services for two years at NO COST to Anthem members whose personal information was included in the breach.

We are still within that two-year window and eligible for the services. Anthem participants were automatically enrolled in the Identity Repair Assistance benefits.

Members could sign up for additional services such as credit monitoring, child identity protection, identity theft insurance, identity theft monitoring/fraud detection and phone alerts.

The following is a link to the letter sent out in February 2015 that provides information pertaining to the services available through the Anthem data breach.

www.dhrm.virginia.gov/docs/default-source/default-document-library/lettertoemployees21315.pdf?sfvrsn=0

Those employees and covered family members who were affected by the Anthem breach have access to these services.

Are there other ways I can get credit monitoring?

Yes, two in particular.

Anthem and Aetna, the two providers offering state health insurance, provide the following services through the Employee Assistance Program (EAP):

  • Free Credit Monitoring
  • Identity Theft Recovery
  • Legal/Financial Consultations

The EAP is available to full-time employees enrolled in state health insurance. The program can also assist you and family members in dealing with the stress associated with this situation.

Some employees are enrolled in pre-paid legal plans such as Legal Resources and Legal Shield, which offer identity theft services. Contact your provider directly to see what services are available under your plan.

Contact the Benefits team in HR if you have any questions:

  • M. Nannette Richardson, Employee Compensation and Benefits Manager, mnrichardson@tcc.edu, 822-1737
  • Michelle McBeth, Benefits Specialist, employees last names beginning A-J, mmcbeth@tcc.edu, 822-1706
  • Angela Vann, Benefits Specialist, employees last names beginning K-Z, avann@tcc.edu, 822-1916
     

Or contact Beth Lunde, associate vice president for Human Resources at blunde@tcc.edu, 822-1711

If I choose to purchase credit monitoring and repair services immediately, will TCC reimburse me?

No. TCC is contracting with a trusted vendor to provide free credit monitoring services.

How could this even happen?

It’s small comfort, but TCC isn’t alone. Cyber threats of all kinds are a major problem.

Incidents of tax scams – thieves filing false returns using stolen data — have increased 400 percent, according to a recent article in USA Today. Typically, these involve “phishing”: You receive an email that appears to be official asking you to confirm some personal information.

This incident is a case of “spear phishing,” in which a particular recipient is targeted for a fake email. This is also a widespread problem. Our email addresses are public, and it’s not hard for someone to create a “spoof” account in an attempt to access sensitive information.

This article provides the anatomy of a spear phishing scam, and lists 55 companies and organizations, including TCC, that have fallen victim.

How can we prevent spear phishing?

No amount of technology will prevent phishing, spear phishing or other kinds of attempted electronic fraud.

The old saying, “Look before you leap,” applies here. If an email sounds strange or lacks the official TCC email signature — even though it appears to be from a close colleague — contact the supposed “sender” to authenticate it.

 It's also a good idea to familiarize yourself with TCC's privacy policy and procedures.

What should I do to protect myself from fraud?

Carefully check credit reports for accounts or inquiries you don’t recognize. If you see anything you do not understand, contact the credit agency immediately.

If you find suspicious activity that doesn’t reflect your personal account activity, consider filing a police report and get a copy of it. You may need to give copies of the police report to creditors to clear up credit records.

Have former employees been notified?

Yes. Preliminary notification letters were sent on March 30 to 550 former employees. The formal notification letters are forthcoming.

I've heard that some people are receiving state refund checks.

New: April 14, 2016

Yes, that has happened. Here's what you should do.

  • DO NOT cash the check!
  • Take a picture of the front and the back of the check.
  • Send or deliver the check and any correspondence that comes with it to Christine Damrose-Mahlmann, TCC's privacy officer, so it can be provided to the IRS for investigation.
     

The Virginia Department of Taxation tells us that victims of identity theft will be issued PINs this fall to enable them to securely file their 2016 state tax returns.

Who can I contact at TCC with my privacy concerns?

TCC's privacy officer is Christine Damrose-Mahlmann. Reach her via email at privacy@tcc.edu or postal mail at:

Privacy Officer
Tidewater Community College
Office of the President
121 College Place
Norfolk, VA 23510

You can also call her at 757-822-1298.