The Louisville Cardinal

U of L joins dozens of schools hacked in 2017

computer, identity theft, w-2, cyber, crime

By Kyeland Jackson —

U of L wasn’t the only school hacked this year.

Sixty-one schools and colleges have dealt with hacked tax information in 2017, according to Identity Theft Resource Center data. Hackers obtained U of L employees’ personal information, filing fake tax returns for over 80 employees. Hackers even stole Communication Department Chair Al Futrell’s information.

It’s unclear how hackers obtained the information, but phishing – false emails requesting personal information – or malware could be blamed.

ITRC Director of Research and Publications Karen Barney said U of L’s breach is small. But, the hacking is unprecedented for the university.

“This year there are a lot of spear-phishing breaches going on, and they do seem to be hitting the education sector,” Barney said. “(Tax fraud) really became more rampant when people were able to file their returns online.”

The theft represents seasonal increases in hacking attempts. During 2016’s tax season, the Internal Revenue Service reported a 400 percent surge in phishing and malware incidents.

Hackers accessed U of L employee accounts through TALX, an electronic W-2 system owned by Equifax. Equifax, which earned $495 million in 2016, responded with more security – adding another step to access accounts and security questions to reset passwords.

“Based on the investigation to date, Equifax has no reason to believe that its systems were compromised or that it was the source of the information used to gain access to the online portal,” Public Relations Senior Director Pamela Stevens said. “Equifax takes the security of consumer information very seriously and understands that this unauthorized access can pose a problem for the affected individuals.”

Before, TALX used one-step authentication to secure its website. Asked why two-step authentication was not used before the breach, Equifax refused to comment further.

Other schools were also late to increase their TALX security.

Among the 61 schools hacked this year, six used TALX’s W-2 system. Hackers used phishing to breach all those schools except the University of Georgia and possibly U of L:

  1. Bowling Green State University
  2. Adam’s Elementary (Arkansas City, KS)
  3. Jefferson Elementary School (Arkansas City, KS)
  4. University of Georgia
  5. Ohio State Veterinary Medical Center
  6. University of Louisville

Though phishing scammers accessed nearly 6,000 employees using Equifax’s W-2 systems, Barney said the company’s security measures aren’t necessarily to blame.

“When it comes to spear-phishing, things that need to be in place are training of employees on what to be on the lookout for,” Barney said.

Phishing advice and training are advertised in U of L’s daily newsletter, but it’s unclear whether training is proactively offered to schools and departments.

The university was notified of a hack March 1, learned of a pattern March 30 and notified the public April 4. University spokesperson John Karman said the university waited to gather information, clarifying it would be “irresponsible” to notify employees without ensuring a breach pattern existed.

Barney said U of L’s timed response may align with Kentucky’s data breach notification law, which mandates employers notify employees immediately when their information is compromised.

“I always appreciate the entities that do breach notifications even though it wasn’t triggered by a law because it’s the right thing to do for consumers,” she said.

U of L estimates 750 employees’ tax returns may be compromised; that number may increase by the tax season’s end. IRS Media Relations spokesperson Cecilia Barreda said compromised employees will receive their tax returns.

The university may implement more security measures according to costs.

File photo / The Louisville Cardinal