The Seattle archdiocese, the FBI and the IRS are working to determine the scope and source of a security breach that surfaced after discovery of false tax returns filed in the names of archdiocesan, school and parish employees and volunteers.
Meanwhile, an increasing number of those employees and volunteers are spending long wait times in IRS and credit bureau phone queues trying to sort out if -- or to what extent -- hackers might have used their personal information.
Even if that data has not been used to date, it could still find its way into varied forms of identity theft down the road, many fear.
In an "Urgent Notice" updated Friday on the archdiocesan website, employees and volunteers are told they could be "victims of a national tax refund fraud."
"Victims' Social Security numbers have been used in fraudulent tax returns for the calendar year 2013," it stated.
In a letter Thursday to "pastors, pastoral leaders and school administrators," Archbishop J. Peter Sartain offered "prayer and empathy for experiencing personal disruption, anxiety and in some cases serious fraud."
"One hears about this kind of scam but hopes it never touches us personally," he wrote. "Now that it has, I want you to know how sorry I am that this is happening and offer my assurances that we are doing all in our power to get to the bottom of it, with the assistance of experts and law enforcement."
The Seattle Times on March 12 quoted archdiocesan spokesman Greg Magnoni as saying personnel in at least three parishes as well the chancery had been victimized.
It was unclear if any fraudulent tax refunds had actually been issued and cashed.
Seattle's KIRO-TV reported that "several Catholic schools adjusted their schedules" on Friday to allow their staffs to "deal with any fraud." Among them, Bishop Blanchet High School recessed early and O'Dea High School canceled classes altogether.
KIRO-TV also said "as many as 90,000 staff and volunteers in Western Washington" might be vulnerable to the leak. No source was cited for the estimate.
There are 579,500 registered Catholics in the archdiocese, according to its website.
The archdiocese has hired the forensic security firm Stroz Friedberg "to assist us in analyzing the situation," the Web notice stated.
Magnoni told The Seattle Times that initially it appeared fallacious tax returns were confined to one parish. Chancellor Mary Santi sent a memo to parishes March 7 saying that "it was presumed to be a local issue," the Times reported.
"It kind of mushroomed from there," Magnoni told the Times. "When the announcements went out, people began checking their returns, and more individuals from different parishes and the chancery discovered it as well."
Magnoni told the Times that pinpointing the breach might be difficult because the archdiocese has several databases with various forms of information. He noted that potential entry sites could be a parish, school or vendor.
"It's hugely complex," he added.
So is addressing the myriad ways the leaked information might be used, according to some who have been impacted.
An unpaid coordinator of volunteers at one parish who asked not to be named told NCR the IRS said three attempts had been made to file fraudulent tax returns using the source's Social Security number and other personal information. Luckily, various factors flagged the attempts as bogus.
The IRS agent told the source that 87 of the previous 90 calls were related to the Seattle archdiocesan security case.
The source said the roughly 50 volunteers under their supervision had been required by the archdiocese to take its training on the protection of "vulnerable populations" such as children or the homeless. Required background checks solicited Social Security numbers and other personal information.
"That is where I am up in arms," the source said. "We promised them their Social Security numbers would be safe."
The source described initial parish attempts to alert potential victims as "not fast enough and not enough. I don't think they understood the depth and ramifications of this. Some of these volunteers are not even members of our parish community."
To further protect information, the source followed advice to purchase an identity theft monitoring program through the credit auditing firm Equifax, which costs $299 annually. "According to our accountant, we will have to be doing this the rest of our lives. You just do not know where this information is being sold. They could apply for loans in my name, and then default. It is so easy once you have the information."
Self-described as an experienced administrator who can "put on a hard shell" and deal with challenges presented by the security breach, the source expressed concern about "older persons, for example, who do not have this background," who volunteered for ministry only to perhaps find themselves tangled in an identity theft web.
According to Seattle's KING 5 News, an estimated 100 people attended a meeting at Holy Rosary School in West Seattle Sunday evening to learn more about the security breach from archdiocesan and IRS officials. The officials also sought information from participants. Media were excluded from the gathering.
"Administrators at several schools, along with the victims themselves, tell KING 5 at least 80 people from six different parishes across the Puget Sound had their tax returns falsely filed," said a report on the television outlet's website.
The archdiocese's online statement also urged "all employees and volunteers" to take several steps "as soon as possible," including:
- Contacting the IRS Identity Protection Specialized Unit "to determine if your tax identity has been compromised";
- Asking the IRS to "place a note ... in their records" about the potential identity theft even if no apparent fraud had yet occurred;
- Placing a "90-day fraud alert" with the credit bureau Equifax, which, in turn, "will notify the other credit bureaus";
- Submitting a report to the Federal Trade Commission if identity compromise has been established;
- Filing a local police report as well as calling Agent Leia Bellis in the IRS Criminal Investigations Unit if fraud activity had been confirmed.
The warning and instructions were also posted in Spanish, Vietnamese and Korean. A link to the IRS website's information on identify theft and victim assistance was provided.
Asked in an email if similar security breaches or IRS scams have been reported to the U.S. bishops' conference, Office of Media Relations director Sr. Mary Ann Walsh responded, "No."
[Dan Morris-Young is NCR West Coast correspondent.]