Joining the ranks of recent data-breach victims like Target and the Washington state Office of the Courts, the Archdiocese of Seattle has found itself trying to pinpoint which of its many databases has been breached, making potentially thousands of people vulnerable to identity theft.
The archdiocese has hired a forensic-security firm to help it investigate the breach, which has resulted in employees and volunteers being targeted by a national tax-fraud scheme, the archdiocese said Tuesday.
The victims include employees or volunteers from at least three Seattle-area parishes and the chancery offices, according to the archdiocese. Spokesman Greg Magnoni declined to name the three parishes.
Because church officials are unsure how many people may be affected, the archdiocese is advising that all employees and volunteers call the Internal Revenue Service Identify Protection Specialized Unit at 1-800-908-4490, ext. 245, as soon as possible to determine whether their tax identity has been compromised.
In the tax-refund fraud scheme, identity thieves typically file fraudulent refund claims using a taxpayer's Social Security number, according to the IRS. This can lead to delayed or diverted tax refunds.
Church officials were first notified of the fraud cases last week, Magnoni said. Because the reports came from just one parish initially, "it was presumed to be a local issue," according to a memo sent Friday to area parishes by Chancellor Mary E. Santi.
After the memo went out, church officials realized the extent of the fraud was greater than they thought, which prompted the archdiocese to post a notice on its website Monday.
"It kind of mushroomed from there," Magnoni said. "When the announcements went out, people began checking their returns, and more individuals from different parishes and the chancery discovered it as well."
The archdiocese has reported the breach to the FBI and the IRS and hired New York-based forensic-security firm Stroz Friedberg to try to identify the source.
The source may be difficult to pinpoint, Magnoni said, because the archdiocese has so many databases with various types of information. The breach may have occurred from a database in parishes or schools, a vendor's system or another source.
"It's hugely complex," Magnoni said. "We're not going to know what happened until they identify where the breach occurred and what the entry point was."
The archdiocese requests anyone who discovers his or her tax return has been compromised to send an email to email@example.com and include full name, parish or school, and identify whether they are an employee or volunteer.
The archdiocese will update its website with additional information when it's available, Magnoni said.
He said the archdiocese has a number of data-security practices in place.