Glendale teachers surprised to find their taxes already filed -- fraudulently

The IRS recently notified teachers, nurses, counselors and other faculty members in the Glendale Unified School District that they could not file their taxes this year because they already had — or at least somebody using their information did.

In December, the school district with more than 25,000 Los Angeles County students learned that it was the latest victim of a ransomware attack aimed at institutions that store sensitive data, but lack the same type of security standards of a large government agency. The attackers locked district employees out of their own system and demanded an undisclosed ransom for the safe return of their data, according to a district spokesperson. The data included employee and student names, addresses, dates of birth, Social Security and driver’s license numbers and financial account information, according to a letter sent to district employees reviewed by The Times.

In the ensuing months, the full extent of the breach emerged when district employees tried to file their federal and state income taxes but couldn’t because they’d already been filed fraudulently.

As of Friday, at least 231 union members have been affected by the breach and many were required to verify their identity with the IRS to legitimately file their taxes, said Glendale Teachers Assn. union president Taline Arsenian.

“The [union] members are spending a lot of their time to clear this issue,” Arsenian said. “It’s very time-consuming when you get down to it.”

The first sign of a problem arrived in district inboxes on Dec. 6. In an email, the district asked employees and students to stay off their Chromebook laptops and not log in to their school accounts.

“After learning of the cybersecurity incident, GUSD immediately partnered with local law enforcement, outside cybersecurity experts, and the FBI to investigate its scope and assess the potential risk to our employees and students,” district spokesperson Kristine Nam said in an email.

Around the same time, Glendale Unified reached out to employees going back 20 years and notified about 14,000 people that they could potentially be affected by the data breach, Nam said.

It’s unclear whether all the information compromised in the breach was accessed and posted to the dark web, a part of the internet not accessible by traditional search engines, but often where stolen information can be found. But the district has offered one year of free credit monitoring and identity theft detection for anyone who wants the service as a precaution regardless.

Still, some employees have not been satisfied with the district’s handling of the situation.

A current employee who wished to remain anonymous for fear of retaliation from their employer, said the district has been slow to disclose information about the data breach.

“They’ve been so unclear about what happened. It’s been on a need-to-know basis,” the employee said. “The reality is that my information is out there and the damage could happen years from now.”

In contrast, when the second-largest school district in the country, Los Angeles Unified, was the target of a ransomware attack in September 2022, district administrators notified the public within days that they had partnered with the FBI, the Department of Homeland Security and local law enforcement to investigate the situation.

Glendale Unified, on the other hand, did not initially let district employees know about what was happening and information since then has been released as a “slow drip of updates,” the anonymous employee said.

In response to the criticism, Nam said Glendale Unified is “committed to being fully transparent with our community and providing employees, students and families with as much information and support as possible. As is protocol in any cybersecurity incident, communications are dictated by law enforcement and the external cybersecurity team.”

Nam also pushed back on suggestions from employees that the district was slow in notifying staff about the problem.

“We sent a message to our entire community immediately on Dec. 6 when the incident occurred, sent a follow-up on Dec. 7 stating that a cyber forensics team was working on the issue, and sent almost daily messages after that,” Nam said in an email.

But Arsenian, the union president, said the union was not notified about the 14,000 former and current employees until April 19.

In January, the district announced that personal data on the school’s network was accessed in a ransomware attack, including some current and past employees and students. In late February, the district notified the California Franchise Tax Board about the data breach “after an employee reported concerns about their tax filing,” Nam said.

On March 4, a district administrator sent out a districtwide email warning employee’s of the fraudulent activity. That administrator included the phone number and mailing address for the California Franchise Tax Board, along with a link to an IRS webpage to help protect against identity theft.

“At that point, it felt like the cat was already way out of the bag,” the anonymous employee said. “They have just been unhelpful through all of this.”

Though Nam said that no student information had been compromised in the breach, she acknowledged there could be a small handful of exceptions such as paid student tutors whose financial information is in the school’s information system.

“We do not have reason to believe that, in general, students’ personal information was compromised by the data breach,” Nam said. “If we identify that a student’s personal information was compromised for any reason, we would notify the student and parent/guardian directly.”

Clifford Neuman, director of the USC Center for Computer Systems Security, said if a ransomware attack gains access to someone’s wage and tax statement — commonly referred to as a W-2 — it’s a “treasure trove of information for someone looking to commit identity theft.”

But there is different information stored for an average student that is likely not the type of information used to fraudulently file taxes, Neuman said.

School districts are not necessarily a high-priority target for the type of people who would be behind a ransomware attack, but they’re relatively easy targets because they have so many vulnerabilities, Neuman said. The “attack surface” on a school district is larger than a bank’s, for example, because there are more people exchanging messages and documents through email in a school. Ransomware perpetrators understand that schools and hospitals are willing to pay a ransom to regain access to their systems because it’s valuable information and, in the case of a hospital, potentially a life-or-death situation.

If someone were to trace where the Glendale Unified ransomware hack originated, it could be something as simple as someone on the district’s network visiting a website with an outdated web browser, Neuman said.

“It’s pretty hard to secure their systems against all of these types of instances,” he added.

For all the impacted employees in Glendale Unified, Neuman expects the IRS would be held liable if it processed any fraudulent filings and sent a check to a fake address, not the school district.

“That takes a long time to straighten out,” Neuman said.

Arsenian, the union president, said that employees affected by the fraudulent filings have been told they’ll have to wait three to six months for their income tax returns.