Cyber Incident Victim: Stanford University
Date:
Apr 2016
Location:
United States of America
Summary
A data breach at Stanford University compromised employee W-2 tax forms through unauthorized access to a third-party vendor system, W-2Express, operated by Equifax. Attackers exploited pre-acquired Social Security Numbers and birthdates to fraudulently download approximately 3,500 current and former employee records, with at least 600 confirmed as maliciously obtained. The breach did not originate from university systems, and the targeted vendor authentication method—used by multiple employers—was disabled pending implementation of enhanced security measures. Affected individuals received notifications and were offered complimentary credit monitoring, identity fraud coverage, and fraud resolution support through Equifax. The incident reflected broader patterns of tax-related identity theft targeting employer-provided W-2 services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 4, 2016, Stanford University’s Department of Public Safety and Information Security Office issued an alert to the university community following reports from employees about fraudulently filed tax returns. Initial assessments suggested the incidents were part of broader tax fraud trends rather than a targeted attack against Stanford. However, an ongoing investigation revealed the university was specifically targeted as a source of employee W-2 forms. The attackers exploited Stanford’s third-party tax service, W-2Express, operated by Equifax, to download approximately 3,500 current and former employee W-2 forms. While most downloads were legitimate, at least 600 were confirmed fraudulent. The perpetrators gained access by using pre-acquired Social Security Numbers and dates of birth—information not believed to have been obtained from Stanford’s systems. The compromised data enabled fraudulent tax filings, though many affected individuals remained unaware of the breach at the time of the announcement.
Stanford disabled W-2Express immediately to prevent further unauthorized access and collaborated with Equifax and law enforcement to investigate the breach. The university confirmed the attackers bypassed W-2Express’s authentication system, which relied solely on personal identifiers and lacked the two-step verification protecting Stanford’s internal Axess portal. Notifications were prepared for all employees whose W-2s were downloaded via the service, regardless of legitimacy, with instructions for enrolling in Equifax-provided credit monitoring, fraud alerts, and identity theft coverage. Affected individuals were advised to file taxes normally and report any fraudulent activity to tax authorities and Stanford’s Financial Support Center. The university committed to restoring W-2Express only after implementing a more secure authentication method, while emphasizing that similar breaches had impacted other organizations using comparable third-party services.