Campus payroll service hacked

Fraudulent employee taxes filed

At least 74 non-student employees of Allegheny College have recently experienced personal information theft, including having their Social Security numbers accessed. The college believes the information was accessed through the hacking of Automatic Data Processing, Inc., according to an email sent out by Rick Holmgren, vice president for Information Services and Assessment, to all regular employees.

More specifically, Holmgren said the college suspects hackers accessed the information through ADP’s iPay program, which allows enrolled employees to access their paystubs, W-2s and Forms 1099 electronically.

“It’s a convenience for employees and it’s more efficient in a lot of ways,” Holmgren said.

There are criminals making these big databases of supposedly private information.

— Rick Holmgren

To the college’s knowledge, only employees enrolled in iPay have been affected, according to Holmgren.  

Students have not been affected by the hacking, and no email has been sent to them. Pat Ferrey, director of Human Resources, said iPay was never set up for students because it would likely be more of a hassle than it was worth.

“Because we have so many problems with the student payroll was one of the reasons we never set up the iPay payroll because that would have just been one more thing to troubleshoot,” Ferrey said.

These problems include students losing checks and having to be issued new ones, as the majority of students do not use direct deposit.

In order to prevent more employees from experiencing the fraud, Holmgren said one of their first steps included stopping any more employees from registering for iPay.

“We’ve locked down iPay, so no new people can register whether they’re fraudulent or not,” Holmgren said. “And also the accounts that we know were fraudulent have been essentially eliminated from the system. We locked them immediately and within a few days, ADP had deleted them.”

Zac Callen, assistant professor of political science, was an employee affected by the attack.

“All I know for sure is that my Social Security number has been accessed,” Callen said.

Callen first realized something was wrong when he tried to file he and his wife’s taxes. The forms he tried to submit through TurboTax would not go through because someone else had already filed using his Social Security number. After Callen posted on Facebook about the annoyance, other people began commenting about similar problems. He then let the college know as it became clear that he was not alone.

Callen said he had to file his taxes with a special form, the 14039 Identity Theft Affidavit, according to the Internal Revenue Service website.

The college recommended Callen put a freeze on his accounts and provided instruction on how to do so. The account freeze will require companies to double check his information before allowing for things like credit cards to be opened in his name.

“The college has worked to keep us up to date,” Callen said.

So far, Callen said there have not been any negative repercussions for him besides the inconvenience of having his accounts frozen.

“We’ve been really lucky no one’s tried to open accounts in our name,” Callen said.

Holmgren has sent out at least three emails, one notifying regular employees of the hacking, one following up with the employees and one specifically for those who were confirmed to have been affected.

According to Callen, his accounts will likely stay frozen for up to seven years because he has no intention of unfreezing them, as he already owns a house and car and does not foresee needing to take out a loan anytime soon. He said the hope of having the accounts frozen for seven years is that by the end of the period, whoever had accessed the information will have moved on and discarded it.

According to Holmgren, the security—and inconvenience—of having frozen accounts comes from a double-check system. For instance, if Callen were to request a loan to buy a car, the bank would likely not issue him a loan until they had run a credit check on him.

However, the bank would not be able to access his credit without having his physical presence there requesting a temporary lifting of the credit security freeze for the check. This prevents loans or credit cards from being opened under Callen’s name without his physical presence confirming that the freeze can be lifted.

According to Ferrey, Allegheny is not alone in dealing with identity fraud. Although the college employees have so far only been affected by having delayed tax returns because of needing to re-file, identity theft is a national problem the IRS has been struggling to combat.

According to the IRS website, “In calendar year 2015, through November, the IRS rejected or suspended the processing of 4.8 million suspicious returns. So far, we stopped 1.4 million confirmed identity theft returns, totaling $8 billion.”

Holmgren said part of the challenge for the IRS comes from the fact that so much of finance is done electronically.

“We haven’t figured out a way to create digital identities, so we create all this information that’s supposedly private, but sometimes when it’s not private, it allows people to get more information,” Holmgren said. “And there are criminals making these big databases of supposedly private information. It’s hard. I don’t blame the IRS, being on the IT side. They got a hard problem.”