Statement from Randy Livingston regarding compromised tax data

To all Stanford University employees, 

On Monday, April 4, Stanford's Department of Public Safety and the Information Security Office issued an alert to the university community after receiving a small number of reports from employees of fraudulently filed tax returns. Tax fraud has become a rampant problem across the country, arising from widespread online financial scams and highly publicized cyber breaches that have occurred in recent years.  As such, at the time of the university alert, it did not appear that the university was being specifically targeted. University officials began investigating immediately, and that investigation is ongoing. It now appears that the university, among other employers, was a target as a source of W-2 forms.

As the investigation proceeded we determined that some Stanford employee W-2 forms were fraudulently downloaded from our third-party vendor. In total, the W-2s of approximately 3,500 current and former Stanford employees were downloaded through the vendor's system. The majority of these downloads are likely legitimate, but I regret to report that we believe that at least 600 were downloaded fraudulently. An affected current or former employee may not yet be aware that his/her records have been compromised.

The university will notify all employees whose W-2 forms were downloaded from the vendor's site whether legitimately or not. We intend to issue those notifications early next week. Those notifications will include further instructions for accessing credit monitoring services and other protections at no cost.

How did this happen?

The university employs a third-party service named W-2Express, which is operated by the credit bureau Equifax, to make W-2 forms accessible online via tax preparation software or for direct download. These downloads required prior knowledge of an individual's Social Security Number and date of birth. The perpetrators were already in possession of this personal information, which was subsequently used to log in and download the W-2 forms. At this time, we have no reason to believe that this sensitive information was obtained from Stanford systems.

Many employees use Stanford's Axess to download their tax forms. It is important to note that W-2Express is independent of the W-2 downloads provided via the Axess portal, which is protected by the university's two-step authentication system.

The authentication system W-2Express uses for Stanford employees is also used by W-2Express for many of its other clients. Similar W-2 service providers also use that system. Unfortunately, a number of other employers have experienced similar breaches where W-2s have been fraudulently downloaded. University officials are working closely with Equifax and Stanford's Department of Public Safety to investigate further.

The W-2Express service has been temporarily disabled to prevent further fraudulent access. The service will be restored once we can establish a more secure alternative authentication method that does not rely on personally identifiable information.

Next steps

Equifax has agreed to provide credit monitoring, fraud alert and other services for all affected employees at no cost for one year. It will also include up to $25,000 Identity Fraud Expense Coverage, and access to your credit report.

Equifax is providing activation codes/coupons for credit monitoring. Those will be included in individual notifications. Employees will have until Oct. 7, 2016, to enroll.

What can you do?

All individuals are urged to continue to take steps to help protect themselves from the fraudulent use of their identity. The Information Security Office provides specific guidance to the Stanford community on how to avoid, detect and handle identity theft at security.stanford.edu/identity-theft.

We advise employees to file their returns as they normally would and await notification from the Internal Revenue Service and/or California's Franchise Tax Board if a fraudulent return was filed. If you find out that you have been a victim of such fraud, please notify Stanford's Financial Support Center at (650) 723-2772; email: finhelp@stanford.edu.

I know this news will cost affected employees precious time and attention, and may impact them financially. We strive to ensure the security of our employees' private information and deeply regret the compromise of these important records.

Sincerely,
Randy Livingston
Vice President for Business Affairs and CFO