18,000 former and current employees of the Catholic Archdiocese of Denver are reportedly exposed to risk after an unauthorized party gained access to the payroll software system administered by a third-party payroll service provider. While investigations have yet to show how the breach was carried out, the authorities shared that names, social security numbers, and addresses of employees, their spouses, and dependents included in the payroll system may have been mined.
In a statement, archdiocese Chief Financial Officer Keith Parsons noted that in October 2015, payroll information of at least 80 individuals have been looked at by an “unknown person or persons.” In November, the archdiocese duly notified individuals who were directly impacted by the breach and quickly provided them with ID theft monitoring and identity repair services.
However, an uptick in tax fraud reports last March concerning individuals who were not part of the initial notification list led the archdiocese and the authorities to believe that what was deemed as an isolated breach may have been wider than earlier anticipated. Investigations have yet to identify if the first batch of mined data have been used to gain access to a wider scope of sensitive personally identifiable information residing in the database, but the archdiocese opted to issue an awareness campaign to everyone whose records were part of the compromised database.
“Since first learning of the incident, we have been working with the Archdiocese’s third-party payroll provider to understand how the incident occurred and the potential number of impacted employees, and to ensure that the integrity of our data is restored,” Parsons noted in a signed letter addressed to all employees. “In addition, we added additional security measures to hopefully prevent similar incidents in the future.”
Currently, the same kind of identification protection service has been afforded to everyone whose information can be found in the database in an attempt to reduce potential risks. Reports noted that at least 50 individuals have already come forward to report fraudulent use of their information, but Parsons and the authorities believe there may be others who have not reported, or worse, still remain clueless of any malicious activity involving their personal information.
Identity theft takes place when the personal information of an individual has been accessed and stolen by crooks and has been used to build a believable identity—which is a fraudulent version of the information’s real owner. Such is the case with this breach when victims who have come forward note of tax refund claims filed on their behalf without their knowledge. Aside from this, stolen personal information may be used to create a gateway to other areas of the victim’s digital life—which may include online bank accounts, credit card credentials and even social media. Unauthorized access to such details could then lead to the compromise of sensitive data belonging to the victim’s family, friends, and colleagues.
[Read: Identity theft and the value of personal data]
The disclosure of the breach follows a lawsuit filed in the U.S. District Court in Colorado on the failure to secure the information of thousands of Sprouts Farmers Market employees who were recently involved in a similar breach that exposed personal information. In the past month or so, a string of breaches on organizations across various sectors have made news after falling to tricks employed by cybercriminals to harvest sensitive information, including Seagate, Snapchat, Pivotal Software, and even schools like Tidewater Community College, Kentucky State University, and Stanford University.
“With the increase in identity theft crimes and tax filing fraud, every person’s information is vulnerable wherever it may be stored,” Parsons stated. “Nevertheless, because this is a serious matter, we strongly encourage you to take preventive measures now to help prevent and detect any misuse of your information that may occur.”
The Colorado Bureau of Investigation and the FBI are currently investigating the breach. The Archdiocese of Denver, through Parsons, advises those involved in the breach to continue monitoring financial accounts and credit reports to spot any irregularity.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.