Baltimore officials have not learned how fraudsters obtained enough information on dozens of city employees to file fake tax returns in their names, and were working with federal and state authorities Friday to investigate any link between the victims.
But even in an age in which massive data breaches have become commonplace, cybersecurity experts said the blame might not rest on how well the city protects sensitive data. Given that it takes little more to file a tax return than a Social Security number and income information, thieves are increasingly assuming victims' identities to steal their tax returns.
The IRS caught 1.4 million cases of identity theft last year in returns seeking $8.7 billion. Officials said they didn't have precise figures on how often it occurs in Maryland, but nearly 600 people called the state attorney general's office to report such crimes in the past year, a spokeswoman said.
"It's on the rise and it's hugely pervasive, not only here in Maryland but across the country," said Alan Brody, a spokesman for Comptroller Peter Franchot.
Officials notified all city employees Thursday night that they were at risk of fraud after "a few dozen" of their colleagues reported that when they attempted to file their taxes, the IRS rejected the returns. The affected employees work for various city agencies, so no immediate connection was apparent that would explain how the fraud occurred.
The pool of affected employees could be larger than officials know, city spokesman Howard Libit said. It's possible some whose information was stolen filed their taxes before fraudsters tried to, he said. The city is offering credit monitoring services to all current and recently departed employees, as well as retirees.
The FBI, Secret Service, IRS, state attorney general's and comptroller's offices, and city police are involved in the investigation, Libit said.
Cybersecurity experts said there could be a number of explanations for the fraud. Hackers could have broken into city databases using what is known as "spear phishing," when an email appears to be from someone the recipient knows. Or the city might not have been the source of the information at all — the victims could share a common health insurer or may be customers of the same retailer that was targeted.
"They're related, as far as we know, only by the fact that they're city employees," said Richard Forno, assistant director of the University of Maryland, Baltimore County's Center for Cybersecurity. "There's still not enough to go on to say the city is to blame here."
If city systems were breached, experts said, it was not surprising that the source of the data used in the fraud has not been discovered, given the size and complexity of city government. Such a breach would not have been easy to prevent, they added. Four employees in the Mayor's Office of Information Technology are dedicated to cybersecurity, Libit said.
"Most organizations, but particularly local governments, that face serious financial constraints can't keep up with the technology even though they do the best they can, because the modes of attack keep changing," said Donald F. Norris, director of the School of Public Policy at UMBC.
Social Security numbers are shared so frequently, it's becoming less reasonable to assume they can be protected, said Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland, College Park. Katz said his Social Security number was exposed in a recent breach, so he applied to the IRS for a personal identification number for added security. He was surprised by how difficult it was to obtain something that he suggested everyone should have.
"It's unsustainable, this model of relying on Social Security numbers alone to verify somebody's identity," Katz said. "The assumption that it could possibly be kept secret is just not a realistic one."
On top of that, city employees' salaries are public, making them easier targets for tax return identity theft.
A bill that was Franchot's top legislative priority in this year's General Assembly session would have made government salaries available to the public only in $5,000 increments. It also would have given the comptroller's office the power to arrest those suspected of tax fraud.
Both chambers of the General Assembly approved the bill, but it died because lawmakers did not meet to iron out differences in versions passed in the House and Senate.
"That clearly is something we should deal with," Sen. Bobby Zirkin said.
The Baltimore County Democrat said he has received notifications from the IRS each of the past two years that someone attempted to file a tax return under his name.