Tax season has come and gone and so has the confidential information of 48 Southwestern College employees who had their identities stolen and fraudulent tax returns filed in their names.
President Dr. Melinda Nish, who addressed the issue in an email sent to SWC employees on March 27, said campus police are engaged in an on-going investigation with the aid of an independent investigative firm which has contacted 30 of the 48 victims as of April 20.
“We have a very small police department, so we don’t have a deep bench with police that have a lot of experience in investigations,” she said. “We felt it was best that we get a firm that specializes in investigations.”
Investigators, Nish said, have found no evidence of a security breach or anything to suggest confidential information, W-2 forms or Social Security numbers were stolen by hackers. SWC Institutional Technology (IT) has also conducted an internal audit of the college’s computer systems, but found no evidence of a security breach either, she said.
Representatives of the campus police, IT and the independent investigative firm said they were unable to comment. Nish has instructed them to deny comment in order to centralize communication. All media inquiries, she said, should be directed to her office.
In the March 27 email Nish advised affected employees to file identity theft reports with their local law enforcement agencies, contact the Internal Revenue Service and one of the three credit bureaus — Equifax, Experian or TransUnion — to put freezes on their credit report files so no new credit cards could be registered in their names.
Nish said there may be more than 48 SWC employee cases.
Under federal law, any person found guilty of filing fraudulent a tax return could incur a maximum sentence of three years in prison and a fine of up to $250,000.
“People are stealing your information in order to file, and receive, a tax refund in your name,” Nish’s email read. “You aren’t going to know it has happened until you go to file, what is in essence, a second return, and the IRS will reject it. If you electronically file, it will be rejected immediately. If you ‘paper file,’ you will get an IRS 5071C letter in writing explaining what the problem is.”
Nish provided the phone number to the Federal Trade Commission’s Identity Theft Hotline, which offers assistance to victims, and wrote that the college had been in contact with Payroll Services, who had in turn been in contact with the San Diego County Office of Education. SDCOE has access to confidential employee information, such as Social Security numbers, because the agency does final processing for SWC employee payroll.
SDCOE has “found no break in the integrity of their systems,” her email read.
Her email also explained that the college has “reached out to those affected.”
On April 3 Nish sent another email to employees saying that the SWCPD was “compiling a list of District employees affected by this invasion of privacy.” SWC is working with the “Chula Vista Police Department, other San Diego County colleges and university police departments to identify victims, share information and better protect our community members,” her email read.
SWC Police Officer Marco Bareño was assigned as the SWCPD point of contact.
SWC Professor of Theatre Mark Pentilescu said he realized his identity was stolen and a fraudulent tax return was filed in his name in mid-March, a day after he received two letters in the mail, one from the IRS, the other from the State of California Franchise Tax Board.
He said enclosed in his letter from the State was a “huge check.”
“It was made out to me and the name of another (SWC) teacher, too, as if we were cohabitating,” he said. “The IRS (letter) said basically the same thing — and that they were going to be sending me a check soon. I hadn’t filed my taxes yet. Also, (the IRS letter) had the other teacher’s name on it.”
Pentilescu said he began to wonder why another faculty member’s name would appear on his tax documents. On March 23 he sent an email to all SWC faculty members asking if anyone else had experienced identity theft.
“Lo and behold,” he said, “about 16 people responded immediately.”
At least three of them, he said, reported another faculty member’s name was also on their letter or check from the IRS or State Franchise Tax Board.
On March 27 after Nish sent her initial email to SWC employees, Pentilescu responded with one of his own, also sent to SWC employees.
“I have been trying to file a report with SWC campus police since Tuesday or Wednesday,” he wrote that Friday afternoon. “Sgt. Sanchez referred me to Marco Bareño. Today I am told Marco Bareño will not be on campus until April 6. I asked the officer who answered the phone if there was someone else I could talk to and was told that Bareño, ‘He’s the one.’ It is disheartening to see what value our campus police put on this matter.”
In his email to faculty members Pentilescu said it took 10 minutes to file a report with the CVPD, 20 to speak with the IRS, five with the FTC and another five with Equifax. Recently he said it took 10 days to file a report with the campus police.
“None of the 16 with whom I’ve exchanged information has heard anything from our administration,” his email read.
“I took that as an insult,” he said, “because there’s a connection here someplace… No one reached out to anyone or did anything for us, with us, called us together or anything. I thought that was just trying to smooth it over.”
Since late March Pentilescu said he has spoke to Bareño, but has only recently been contacted by the independent investigative firm. He also said SWC employees who were affected have reported fraudulent tax returns and expensive purchases made in their names.
Professor of Reading Robert Unger was one of the 48 affected SWC employees. He said he filed both his State and Federal tax returns electronically. His State filing was accepted, but his Federal was rejected.
“If there’s a breach, and the breach occurred on campus, (SWC) could be liable for the ramifications,” he said. “Each of the individual faculty members and staff could actually bring a suit against the college.”
Unger said he began hearing about the issue before spring break. He said he emailed SWC Police Chief Michael Cash who was not aware of the issue, but “then he quickly got up to speed.”
Unger said one problem could be the college’s computer software.
“Our software is antiquated,” he said. “It is very possible the college was hacked…The software we’ve been using in our payroll system has been patched and re-patched for many years.”
Another possibility, he said, could be a County Office of Education breach. He said a San Diego police officer offhandedly told him other school districts in connection with the SDCOE have experienced breaches.
“That’s secondhand information,” he explained, “but if that’s true, then it does point to the County, as opposed to us.”
Nish said SWC will “fiscally go independent” of the SDCOE on July 1.
“We will decouple from the County,” she said. “All of (SWC employee payroll) will be processed in-house. So I’m looking at that this as a real positive, because that would close the door on a possible breach with the County.”
Nish said she doubts identity theft will cease.
“I don’t think that this is going to be ever going away anytime soon,” she said, “because there’s so much electronic traffic of this information.”
Nish mentioned that the CVPD has reported a steady increase in identity theft crimes in recent years.
“Right now (CVPD) is reporting 60 plus cases reported to them, not including ours,” she said. “That’s more than last year, which was about 54.”
In an effort to aid affected employees, she said, SWC will provide identity protection services for them, though she did not mention the name of the service company or the services it would provide.
“We’ve identified a service and we’ve identified the cost, and we’re going to roll that out for everyone that has been reported that they have an IRS filing issue.”
One precaution SWC has recently taken involves the amount of access SWC employees have to confidential information, she said.
“We’ve significantly reduced any employee that has access to Social Security numbers,” she said. “Very, very few people can even get that information off our system now.”
The number is now around 30, she said.
Nish has yet to comment on how many people had access before.
Dr. Carla Kirkwood, coordinator of the SWC Center for International Studies, said she was aware of the breach in March, but only realized she was victimized herself on April 9 or 10. She said the whole process since then, which involved hours upon hours of paperwork, has been a “sure reality check.”
“I’m not a Luddite,” she said. “I believe in technology, but this processing of information — it’s almost like we thought Big Brother was going to be at our door, burning our books, but this may be a much more sophisticated way of control and maneuvering. Then when this stuff happens, it’s very clear that it can happen to you.”