U profs worry personal info hacked; no campus breach found

About two dozen University of Minnesota faculty members have told administrators they suspect someone has committed tax fraud using their personal information.

Two professors say they and other colleagues were unable to file federal taxes online, because the Internal Revenue Service website told them someone had already filed in their names.

The university says it can't find any data breach in its computer network, and says it appears to be criminal activity unrelated to the university's operations. That leaves some faculty members puzzled, because the complaints are concentrated in the sociology and psychology departments.

"I don't know how somebody would have gotten this information from so many people at the same institution," said sociology professor David Pellow.

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

University spokesperson Steve Henneberry said that in addition to sociology and psychology, administrators also received complaints from a graduate student in music and the spouse of a faculty member in the College of Education and Human Development.

Sociology professor Rob Warren said he noticed something was wrong during tax season when he tried to file his return with the IRS online. He said he got an error message indicating someone had already filed.

Pellow said his tax accountant got a similar message when he filed Pellow's return, and ended up submitting a paper copy and Pellow's payment. He says he has filed an identity-theft claim and recently received a letter from the agency saying it would take up to six months to process.

Henneberry said university officials have known about the problem since late April. He said personnel have checked whether the network security system has suffered any security breaches in the past year, but could find none.

The university hasn't notified any outside agencies or looked into the possibility that an employee may have given sensitive data to someone outside the university since "there is no information to support that," he added.

University officials can't explain why the problem appears concentrated on a small group of professors, he said, and say it's the first time the U has experienced a problem of this nature.

In a June 7 email obtained by MPR News, human resources chief Kathryn Brown told a faculty leader that the university's chief information officer, Scott Studham, "says international crime rings are able to buy information on the black Internet, and this appears to be the case with impacted faculty."

"Sadly," Brown wrote, "this appears to be random criminal activity."

William Kresse, a Governors State University business law professor who studies fraud, says such statistical anomalies are always possible.

But he cited two explanations he thought were most likely.

The first is that someone hacked the computer systems of an institution outside the university, such as a health insurance company, that serves those faculty members, and which bundles information files by department.

That, he said, was the root of a recent tax-related identity theft case involving faculty members at Virginia Tech. Organizations that hold data collected for licenses and credentials are also a risk.

"You have to find a common denominator," Kresse said.

The second most common possibility he cited is that someone within the university, such as an employee or visitor, accessed the information and then shared or sold it to someone outside.

"We're always looking for the high-tech hacks," he said. "But ... very often the old-school methods of stealing identities are still very prevalent."

The first step Kresse said he would take would be to send out an email to the entire campus to find out who was affected, something university spokesperson Henneberry said the U has not done at this point.

Henneberry said university officials have notified the affected faculty members of the results of the inquiry, and he said the U's data-security personnel have offered to meet with faculty members to offer more information.

Because the university does not appear to have played a role in the problem, Henneberry said, it's not offering the usual services, such as free credit-monitoring, that companies offer victims of data breaches. He said it's up to those affected and the IRS "to work through an individual tax fraud issue."

So far, Henneberry and the two professors say they've heard no reports of faculty suffering financial damage from the activity.

IRS spokesperson Karen Connelly said disclosure rules prohibited her from discussing specific cases, and could not say whether the occurrences at the U of M were part of any national or regional pattern.

National media reports indicate that tax-related identity theft is on the rise nationally, and that hackers have been able to obtain sensitive taxpayer data through the IRS website.

Early this year the Minnesota Department of Revenue temporarily stopped accepting tax returns filed using TurboTax software over concerns the program was susceptible to fraud. But a faculty email said some of those at the U hit by the fraud do not use that software.

Pellow said he's satisfied for now with the university's handling of the situation, but did say he's "a little concerned that they were able to rule [a breach] out ... when they don't appear to have anything more definitive."

But Warren says the university should have done a better job of notifying personnel of the problem and helping employees beyond just pointing them to the IRS.

He says the university hasn't contacted him offering more information, and says he wants a fuller explanation of the problem.

"I'm still frustrated with the argument that this thing 'just happens,'" he said. "It isn't a coincidence that these people work in the same department. It seems very unlikely that this could happen except by some sort of ... [accidental or criminal] release from the university."