Hackers Defraud TaxAct Customers, Snoop into U-Va. Personnel Data, and Breach Brigham and Women's Hospital

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches: 

ID Thieves Access TaxAct Customers' Personal and Financial Data

Fraudsters who apparently gamed TaxAct's identify verification controls compromised, and may have copied, personal and tax return information from hundreds of customers. In addition, the software provider detected suspicious activity surrounding 9,000 accounts. Those accounts have since been frozen.

The company says it has no evidence any TaxAct system was hacked. Rather, it believes thieves obtained customer names and passwords elsewhere, perhaps from other data breaches, to crack open individual accounts. 

The breaches occurred in November and December 2015. 

TaxAct said early detection of the apparent scheme confirms an anti-fraud campaign launched by the IRS and tax-preparation firms over the past year is working. Tax refund fraud happens when criminals use stolen personal information to file a fraudulent tax return claiming a refund. 

A spokeswoman for the IRS said, “The IRS has already taken steps in our systems to protect the affected accounts.”

Sham Email Campaign Exposes Employee Data at University of Virginia

Overseas hackers, now are in custody, allegedly gained access to records for more than a thousand U-Va. personnel, including W-2 tax forms from 2013 and 2014.

The school disclosed the case Jan. 22. 

The data breach involved the use of a “phishing” scheme, where the hackers sent emails to U-Va. staffers asking them to click on a link and provide their account log-in information and passwords. 

The hack affected staffers in the school’s academic division.

The FBI "recently notified" the school of a data exposure following an extensive law enforcement investigation, Patrick D. Hogan, U-Va. executive vice president and chief operating officer, said in a statement. "University officials are also aware that other colleges and universities were targeted by these perpetrators."

Health Information on 1,009 Patients at Brigham’s Hospitals Now Compromised

Brigham says an employee’s email account was hacked using stolen credentials but has not disclosed how those credentials were nicked.

In a statement, the hospital center said it learned “an unauthorized party obtained the network credentials” of one of its employees and entered “those credentials to access that employee’s email account…We determined that the emails potentially contained information for a limited number of individuals including full name, date of birth, medical record number, provider name, date of service, and some clinical information, such as diagnosis and treatment received.”

This incident did not affect the patient electronic medical records system, rather only certain files contained in the single compromised email account.

Contractor Seizes Employer’s Home Improvement Website; Pockets Money for Unfinished Business

A Delaware County, Pennsylvania, worker is accused of stealing thousands of dollars from a couple for a construction project he never started and illegally taking over a website he was hired to create, which he then used to pilfer said money.

It all began in July 2014. James and Patricia Blaney wanted a two-story addition made to their house.

They found a website for contracting company J.D. Kelly Corporation. The Blaneys emailed the address listed on the site and Vincent Cottrell, 39, called them back, authorities say.

John D. Kelly, the owner of the company, told authorities he hired Cottrell to create a website for his contracting service, but once the site was constructed, Cottrell did not provide Kelly with the login information.

It was during this period Cottrell allegedly listed himself as vice president of sales and business development on the site without permission, leading to the Blaneys contacting him for their addition.

They hired Cottrell and went on to issue six checks totaling $52,706.32, between November 2014 and March 2015, to Trend Consulting Group, a company where Cottrell was listed as managing partner and CEO.

Cottrell postponed the project multiple times for various reasons. He initially told the couple there was an issue with Upper Darby Township concerning the fire code, then with the permits, and then with the masonry contractor not being licensed in the township.

The couple confronted Cottrell as to why the township didn't have any documents from him. Cottrell now faces charges of, among other things, theft by deception and identity theft.