Cyber Incident Victim: GreenShades
Date:
Feb 2016
Location:
United States of America
Summary
Hackers compromised tax information of Ozaukee County employees by breaching GreenShades' web platform, which the county used for tax filing services. The intrusion involved unauthorized access to W-2 and Form 1095 data, leading to fraudulent tax refund filings affecting at least 190 individuals. Suspicious login activity on the platform triggered the breach discovery, though the attackers successfully exploited the stolen information for financial fraud before detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2016, Ozaukee County, Wisconsin, employees experienced tax refund fraud stemming from a cybersecurity incident involving GreenShades, a provider of tax filing services used by the county workforce. GreenShades detected unauthorized activity on February 14 when it identified suspicious login attempts on its web platform. The breach exposed sensitive employee tax documentation, including W-2 forms and Form 1095 information, which contain Social Security numbers, income details, and other personally identifiable information required for tax processing. This compromised data enabled threat actors to file fraudulent tax returns in the victims’ names, diverting refund payments illicitly. By February 13, 2016—the day before GreenShades discovered the suspicious logins—fraudulent filings had already impacted 190 county employees, indicating the attackers had exfiltrated and exploited the data rapidly following initial access. The incident directly affected Ozaukee County’s administrative operations, as employees faced delays in legitimate tax refunds and potential financial harm from identity theft.
GreenShades initiated an investigation upon identifying the anomalous logins but did not publicly disclose technical specifics regarding the intrusion method, scope of system access, or duration of unauthorized activity prior to detection. The company’s discovery timeline suggests the breach was identified contemporaneously with the fraudulent filing surge, leaving limited opportunity for preemptive containment. No information was provided about whether multi-factor authentication or other safeguards were in place at the time of the compromise. Ozaukee County employees were forced to engage with the Internal Revenue Service to resolve fraudulent claims, a process typically involving affidavit submissions, credit monitoring, and extended refund delays. The 190 confirmed victims represented a significant subset of the county workforce, though the total number of exposed records remained unconfirmed in available reporting. Tax refund fraud incidents of this nature often impose long-term burdens on victims, including credit freezes and heightened scrutiny during subsequent tax seasons.