December 11, 2014
Dear Faculty and Staff,
I'm writing to provide an update on the use of employee personal information in the filing of false tax returns. For those who are not aware, earlier this calendar year it became apparent that personal information about UNI employees was being used fraudulently to file false tax returns and claim refunds. Previous communication about the matter is available at www.uni.edu/tax-advisory.
A two-track investigation approach, comprised of an operational team of multiple university departments and a law enforcement team of state and federal agencies, was used to address the issue. In addition, the university utilized two national consulting firms to aid in the forensic analysis and system validations. The cooperation and diligence of the law enforcement agencies and the various staff on campus have been excellent. For employees who were victims, reporting to the university their violation was highly critical in helping both tracks of the investigations. Thank you to those who reported this information.
Two specific threats were identified as problematic. First, a critical computer server was identified as operating outside the established standards of Information Technology Services (ITS) and outside professional best practices. Because of this, the server had potential vulnerabilities including allowing possible unauthorized access to sensitive data. Had this server been operating with best practices as established by ITS, the potential vulnerabilities would likely have been prevented. The server has been removed from service and replaced with a virtual machine managed by appropriate ITS staff. As I have learned more about the volume of threats, which are prevented, circumvented or stopped by ITS staff every single day, my respect for their ongoing work continues to grow.
Second, there were (and continue to be) numerous phishing attacks. One of those attempts continues to be investigated by law enforcement. As a reminder, ITS and other university offices will NEVER ask for your password, credentials, social security number or other sensitive information via email. If you question the authenticity of an email claiming to be from UNI regarding credentials, contact the ITS Computer Consulting Center at 3-5555. They can assist in establishing the credibility (or lack thereof) regarding a suspicious email.
Despite the excellent work of UNI employees, multiple consultants, including forensic technology experts, as well as the ongoing work of law enforcement, neither of the aforementioned threats have been proven to be the source of the problem. Given the fleeting nature of certain aspects of technology, unfortunately we have been told definitive proof may not be found.
All evidence points to the fact that this is not an ongoing issue of access to a university system. ITS continues to lead a security working group that evaluates methods to continue to keep UNI systems safe. As their work progresses, we will receive recommendations for improvements in how each of us can participate in strengthening various components that make up computing on our campus. From desktops, laptops, passwords, email and how we transact business within the university, I hope you will join me in being responsive to the recommendations, which will be forthcoming from that working group. Our responsiveness will be critical to the success of this endeavor.
With another tax season rapidly approaching, other institutions, which have had similar issues, tell us that there will likely be further use of personal information that was previously obtained. In anticipation of this, here is a compilation of resources that will proactively inform and help you protect your data:
Ignore any email requesting your password, "validating" your password or other credentials for UNI. ITS will NEVER ask for your password or credentials via email.
IRS recommends filing your taxes as soon as possible. The quickest way to receive your W-2 from UNI is to ask for it electronically. Further information is available at http://www.vpaf.uni.edu/obo/payroll.
If you have not already done so, consider notifying the IRS you are an actual or potential victim of identity theft. Go to www.irs.gov and type "14039" in the search box. Download, complete and submit the Identity Theft Affidavit form to the IRS. If you submitted a form and havent received a PIN from the IRS, you can go to their office in Waterloo located at 201 Tower Park Dr. Suite 102.
Feelings of violation and unease from events like this are normal. If you would like to confidentially visit with someone about your situation, the university's Employee Assistance Program is available at no cost to you. Free financial consultation is also available through this service. More information, including a toll free number, is available at www.uni.edu/hrs/mybenefits/eap.
If you are a victim and have not filed a report yet, please contact the UNI Police to report the crime. They can be reached at 3-2712.
If you are a victim of identity theft you may want to consider two options available through the Social Security Administration. An online account may be created to manage social security benefits and monitor statements by going to www.ssa.gov/myaccount/ or visit your local social security office. As an alternative, you can block electronic access by anyone, including yourself, at secure.ssa.gov/acu/IPS_INTR/blockaccess.
Freezing credit reports can protect your financial security and deter fraudulent accounts from being opened under your name. Information about this is available on the UNI tax advisory website, left-hand side under Additional Information. Information from IA-OAG is available at www.state.ia.us/government/ag/images/pdfs/Credit_Security_Freeze_10_7_2013.pdf.
Good security practices include changing online passwords on a regular basis, both at work and at home. ITS provides guidance on strong passwords at www.uni.edu/its/kb/8355.
Earlier this year, CNN ran a story indicating that hackers have exposed the personal information of roughly half of the nations adults within the past 12 months alone. While UNI is not alone in being victimized, the resolve of the IT and operating staff will continue to strengthen systems and operations to protect personal information. If you have specific questions, please call the UNI information line at 273-5700, which is available Monday through Friday between 8 a.m. and 5 p.m. Information remains available on the website at www.uni.edu/tax-advisory.
Senior Vice President for Administration and Financial Services