About 270 Northwestern employees were victims of identity theft after their 2015 federal income tax returns were accessed, but administrators do not know the source of the breach.

Approximately 150 faculty and staff have reported problems with tax filing, but the number is still rising, said David Kovarik, director of information and systems security and compliance. As some employees attempted to file their 2015 tax returns, they were informed by the IRS or other agencies that the return had already been filed using the individual’s Taxpayer Identification Number, which is typically a social security number, he said.

After about 35 of these reports came in, the University conducted an investigation of its systems to determine whether there had been a breach, Kovarik said. The investigation concluded that NU’s systems had not been breached. NU also contacted Equifax, the agency that handles W-2 forms for NU, which indicated there was no breach in its systems, he said.

This was the first year NU partnered with Equifax for W-2 form distribution, University spokesman Al Cubbage told The Daily in an email.

Kovarik said there have been instances of tax fraud at NU in the past, but the number of reports for 2015 was higher than in the last several years.

“Unfortunately, it is more commonplace than we would like to see,” he said. “The actual source — social security number, date of birth, personal data — is extremely difficult to pin down.”

The uptick in fraudulent filing is common beyond NU, as social security numbers are increasingly used for authentication, Kovarik said.

Several years ago, NU made an effort to remove social security numbers from its systems, instead asking faculty to input their employee ID numbers when accessing certain resources online, Kovarik said. This change made a significant difference by lessening the exposure to identity theft in NU’s systems, he said.

German Prof. Franziska Lys, the director of undergraduate studies for her department, said she received a letter from the IRS that said someone had filed a tax return in her name. Lys said the return was clearly not hers, as she usually files with her husband and they both had an extension this year.

Lys said she initially thought someone had hacked the IRS’s data, but said she realized this was an issue at NU after being contacted by The Daily.

On Wednesday morning, Lys contacted Kovarik, who later confirmed that her personal information had indeed been accessed by another person, she said.

When Lys asked why faculty at NU were not informed about these identity breaches, Kovarik told her the University is contacting employees whose identities were confirmed to be breached, she said. Lys noted that two University news releases have been published on the tax filing problems, but said this is not enough information for the NU community.

“I’m unhappy about the fact that Northwestern faculty members and the Northwestern community was not informed about this possibility,” Lys said.

Lys said she has already taken action by contacting Equifax and the IRS. However, Lys said, she is concerned that NU employees are not aware that their information may have been accessed illegally, particularly if they have an extension on their tax returns this year.

“It seems that Northwestern is just waiting for people to contact them, and I don’t think that is the right way to go about this,” she said.

Cubbage said the two University news releases were sent to all students, faculty and staff at NU. More information will be sent soon, he said.

Moving forward, NU employees will be offered free credit protection for a year, Kovarik said. Equifax will provide credit monitoring services to affected individuals, but the details are still being worked out. NU will continue to collaborate with Equifax to minimize the exposure of employees to tax fraud, he said.

“We want to make sure that everybody is informed, that they receive the services that we have committed to,” Kovarik said. “(We will) talk about enhancements to the security mechanisms so that we don’t have a repeat of this next year. We’d like to be at a zero level if at all possible by the time we reach next year.”

This article was updated with additional information from Al Cubbage.

Email: [email protected]
Twitter: @peterkotecki