Still no solution in Seattle security breach; neighboring Portland also under attack

Despite multi-pronged, ongoing investigations by the Seattle archdiocese, the FBI, the IRS and a forensics security firm, there are still no clear answers on the source nor method of how parish, school and archdiocesan employees' and volunteers' personal information was stolen and used in a fraudulent tax return scheme.

The neighboring Portland archdiocese has become embroiled in the same national scam. Its spokesperson told The Oregonian newspaper on May 3 that hundreds of staff and volunteers have now reported misuse of their Social Security numbers.

More than 5,000 — and counting — persons have notified the Seattle archdiocese of suspicious use of their Social Security numbers since the cyber piracy began to come to light in early March, Greg Magnoni, archdiocesan communications director, told NCR on May 7.

Magnoni said Portland and Seattle officials are sharing information and trying to establish to what degree and in what manner the two cases might be linked.

The Oregonian reported that all victims in the Portland archdiocese had submitted to background checks required to qualify to work with youth and other vulnerable populations.

While those background checks have been mentioned frequently in both the Seattle and Portland investigations, “the IRS is not currently attributing the security breach to the company that conducts background checks of employees and volunteers,” according to an internet report by the Catholic Sentinel, Portland archdiocesan newspaper.

Seattle officials have not officially pointed fingers at third-party vendors either, but a May 2 update posted on its website noted one of the efforts it has made in the case: “We communicated by e-mail with individuals who were are in our Child Protection Training contact list ...”

The May 2 posting also provided an explanation on why personal information including Social Security numbers had been secured “as part of robust procedures to protect ... vulnerable populations.”

The Seattle archdiocese is now running background investigations through the Washington State Patrol criminal background check, which does not use Social Security numbers, Magnoni told NCR in March.

The Oregonian also reported May 3 that Oregon regulators “are investigating whether the archdiocese of Portland violated state law by failing to properly notify employees and volunteers that they could be victims of tax-return fraud.”

The Oregon Division of Finance and Corporate Securities received at least two complaints from consumers, the newspaper reported, that allege the archdiocese was lax in notifying potential victims that their personal information might have been compromised in a security breach.

Both Seattle Archbishop Peter Sartain and Portland Archbishop Alexander Sample have written open letters empathizing with victims and promising concerted action to address the fraud scheme.

Security leaks and resulting false tax refunds have not surfaced in the Spokane, Wash., diocese, said Eric Meisfjord, spokesman. No response on a similar inquiry of the Baker, Ore., diocese had been received as of this report's filing.   

In the May 2 online update, the Seattle archdiocese also reported:

• It will provide “credit monitoring for individuals who had a fraudulent tax return filed in their name if they also submitted a background check form to the archdiocese within the last nine years”;
• It had set up a “special e-mail address so that problems could be reported” (taxinformation@seattlearch.org);
• “The IRS has told us that it will work with you to ensure that you obtain your legitimate refund if it has been sent to someone else” and that the process “may take several months”;
• It had held six regional meetings to inform parishioners about the status of the investigations and to gather information;
• It had “met with the Attorney General of Washington staff to identify ways we could better support affected individuals in our community”;
• “In the aftermath of security breaches, some opportunistic criminals seek to fraudulently obtain personal information of affected individuals by claiming to be the business experiencing the breach,” and warned persons to be “extremely cautious when giving out personal information and do not disclose your Social Security number via e-mail, including to us”;
• It is conducting “vulnerability testing and examining other systems to determine whether they were affected” including the archdiocese's Annual Catholic Appeal (ACA) systems.

According to Monica Lewis, director of Seattle's ACA, there seems to be little if any negative impact on the campaign which recently kicked off its first phase.

Magnoni said the financial hit from the security breach and resulting tax return fraud has not been calculated but is “significant” and ongoing.

“As time goes on,” he said, “it is clear this will be a long-term investigation. When we might see results is impossible to determine at this point.”

He said, “We do have some insurance coverage. I’m not sure about the extent and specific areas of coverage. I can say that some of the costs will be covered by insurance.”

In a March 20 visit to Seattle, IRS Commissioner John Koskinen said the Seattle archdiocese's tax return fraud case is the biggest the IRS has experienced on the West Coast, although there have been similar outbreaks in the past, including Florida, Georgia and the District of Columbia.

[Dan Morris-Young is an NCR West Coast correspondent. His email address is dmyoung@ncronline.org.]