The Los Angeles County Office of Education is investigating the possibility that bad actors gained access to the electronic tax documents of teachers and administrators after employees at schools around the county received letters indicating fraudulent tax filings had been submitted in their names.
The Southern California News Group confirmed that employees at two school districts, on opposite ends of L.A. County, have been impacted, but the full scope of the potential data breach was not immediately available.
LACOE declined to provide information about how many school districts or employees may be affected. The regional agency manages payroll services for more than 150,000 employees across 100 school districts, community colleges and charter schools in Los Angeles County, according to its website.
“The Los Angeles County Office of Education is currently investigating fraudulent tax return filings from some employees both in our organization and in some L.A. County school districts,” said Van Nguyen, the public information officer for LACOE, in an email. “We are working with external experts and the W-2 vendor to review the issue. We will continue to provide updates to the community as appropriate.”
The Los Angeles and Long Beach unified school districts, the county’s two largest districts, do not use LACOE’s portal for electronic tax documents and their employees were not affected, according to those districts.
Karla Estupinian, a spokesperson for the Lancaster School District, confirmed that some employees in the district have received letters about fraudulent tax filings, but she was unable to provide an estimate of how many due to the ongoing investigation and the fact that some may have only recently filed their taxes.
“We’re still in the early stages of this and we’re really waiting to hear back from LACOE,” she said.
Lancaster school officials first heard about the issue from another district. Once its own employees returned from spring break last week and began making similarly troubling reports, it became clear it was not isolated to a single district, Estupinian said.
“This week, we’ve been hearing from a lot more,” she said. “After we started hearing about us, we heard that other districts nearby were also impacted.”
The number of Lancaster employees affected has continued to grow as more and more finish their taxes, she said. Employees who filed early did not receive letters, suggesting fraudulent filings may have occurred recently.
LACOE contracts with a vendor, W2Copy, to provide electronic W-2s to its employees and the employees of certain school districts. In a statement, W2Copy said it disabled access to the tax document portal out of an abundance of caution once LACOE reported its concerns.
None of its other clients has reported similar issues, according to the statement. Still, the company brought in a third-party cybersecurity firm to conduct a forensic investigation of the entire W2Copy network and no breach was found, the company said.
“Specifically, the investigation found that all login activity to the portal observed during the review utilized valid, system-recognized credentials and successfully completed authentication through the standard login process,” the statement reads. “No evidence was identified indicating the use of invalid credentials, authentication bypass, or compromise of the portal’s login mechanism.”
Any assertion that W2Copy’s systems were hacked, or its security defeated, “is not supported by the findings of the third-party forensic investigation conducted on our behalf,” the company said.
Earlier this week, Jose Gonzalez, LACOE’s chief technology officer, and David Hart, its chief financial officer, sent out emails to L.A. County school administrators warning about the fraudulent filings and provided a form letter to send to employees.
“While the investigation is ongoing, there are early indications that Social Security numbers were used to file fraudulent tax returns and some cases may have involved the use of dependent’s information as part of the fraudulent filings,” they wrote. “It is important to acknowledge that this type of activity reflects a broader environment where organizations across the country are constantly confronting evolving threats related to cybersecurity and identity theft. Accordingly, we encourage all districts and employees to remain highly vigilant.”
The missive states that LACOE has “temporarily disabled access to online W-2 forms” and that employees needing those documents should contact their district’s human resources department instead.
Gonzalez and Hart’s email includes a tip sheet detailing the steps that employees can take if they receive a letter from the IRS or the state’s Franchise Tax Board indicating that a duplicate return has been filed.
Cyberattacks on school districts have become all too common in recent years. Hackers in late 2023 stole Glendale Unified School District employees’ Social Security numbers, driver’s license numbers and financial account information and demanded a ransom for the data, according to the Los Angeles Times.
Employees did not learn the full extent of that breach until months later when they attempted to file their taxes, only to find that somebody else already beat them to it.
That same year, hackers stole student identification numbers and email addresses from Long Beach Unified and posted the data online.
In 2022, Los Angeles Unified School District was forced to disable all of its computer systems for several weeks after a cyberattack compromised student records, COVID test results and Social Security numbers.