Seattle Archdiocese scrambles to pinpoint database breach

The Seattle TimesMarch 16, 2014 

Joining the ranks of recent data-breach victims, the Archdiocese of Seattle has found itself trying to pinpoint which of its many databases has been breached, making potentially thousands of people vulnerable to identity theft.

The archdiocese has hired a forensic-security firm to help it investigate the breach, which has resulted in employees and volunteers being targeted by a national tax-fraud scheme, the archdiocese said last week.

The victims include employees or volunteers from at least three Seattle-area parishes and the chancery offices, according to the archdiocese. Spokesman Greg Magnoni declined to name the three parishes.

Les Tolzin, a Tacoma attorney, said he believes his identity was stolen as a result of his having volunteered as a Cub Scout leader at the St. Francis of Assisi Parish in Burien.

Like all volunteers, Tolzin said, he was asked to submit to a background check, for which he revealed many personal details, including his Social Security number.

“My wife got notice of what was going on because she’s a teacher at the school,” Tolzin said. “We contacted the IRS on her behalf, and when they checked on her she came back clear, but somebody had filed a tax return under my name.

“We always file jointly,” he said, “so that’s how we knew my identity had been stolen.”

Last Thursday, Tolzin said, he discovered someone had tried to open an account in his name at the catalogue/online retailer Fingerhut.

Tolzin said he’s angry, partly because he has always taken such pains to protect his identity.

“I’ve always been very careful,” he said. “I do everything they tell you to do. I’m careful online. I don’t answer emails that I think are at all suspicious. And then it happens this way — somebody hacks the archdiocese.”

On Friday, two Catholic high schools in Seattle changed their schedules so staff members could deal with the threat of identity theft. O’Dea High canceled classes, and Bishop Blanchet High dismissed students early.

Because church officials are unsure how many people might be affected, the archdiocese is advising that all employees and volunteers call the IRS Identify Protection Specialized Unit at 1-800-908-4490, ext. 245, as soon as possible to determine whether their tax identity has been compromised.

In the tax-refund fraud scheme, identity thieves typically file fraudulent refund claims using a taxpayer’s Social Security number, according to the IRS. This can lead to delayed or diverted tax refunds.

Joe Panesko, who volunteers at St. Michael Parish and School in Olympia, told KING-TV that he found out Tuesday his IRS filings had been breached, and was troubled to learn just a name and a Social Security number can compromise the system.

“The thing that troubles me the most is really the ease by which whoever accesses this info was able to scam the IRS,” Panesko said.

Church officials were recently notified of the fraud cases, Magnoni said. Because the reports came from just one parish initially, “it was presumed to be a local issue,” according to a memo sent to area parishes by Chancellor Mary E. Santi.

After the memo went out, church officials realized the fraud was broader, which prompted the archdiocese to post a notice on its website Monday.

“It kind of mushroomed from there,” Magnoni said. “When the announcements went out, people began checking their returns, and more individuals from different parishes and the chancery discovered it as well.”

The archdiocese has reported the breach to the FBI and the IRS and hired New York-based forensic-security firm Stroz Friedberg to try to identify the source.

The source may be difficult to pinpoint, Magnoni said, because the archdiocese has so many databases with various types of information. The breach might have occurred from a database in parishes or schools, a vendor’s system or another source.

“It’s hugely complex,” Magnoni said. “We’re not going to know what happened until they identify where the breach occurred and what the entry point was.”

The archdiocese will update its website with additional information when it’s available, Magnoni said.

He said the archdiocese has a number of data-security practices in place.

“We have done everything we could to make sure that the databases are secure,” Magnoni said. “We will continue to do things to make sure they are secure in the future.”

More information

The Archdiocese of Seattle asks people who find their tax returns have been compromised by the data-breach to send an email to taxinformation@ seattlearch.org and include full name, parish or school, and whether they are an employee or a volunteer.

Staff writer Rob Carson contributed to this report.

The News Tribune is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service