LACOE Investigates Fraudulent Tax Filings Tied to Employee W‑2 Portal

TL;DR: LACOE launched an investigation after employees received IRS letters about duplicate tax returns. The W‑2 portal showed only legitimate logins, suggesting credential compromise rather than a system breach.

Context: LACOE manages payroll for over 150,000 employees across 100 Los Angeles County school districts, community colleges, and charter schools. The agency contracts with W2Copy to deliver electronic W‑2 forms. In early spring, employees from several districts reported receiving notices that fraudulent returns had been filed using their Social Security numbers.

Key Facts: - W2Copy’s forensic review found all portal access used valid, system‑recognized credentials and completed standard authentication; no evidence of invalid credentials, authentication bypass, or portal compromise. - The two largest districts, Los Angeles and Long Beach Unified, do not use LACOE’s portal and were unaffected. - LACOE temporarily disabled online W‑2 access and directed employees to obtain forms through district HR. - Internal emails from LACOE’s CTO and CFO warned administrators that early indicators point to SSN misuse, possibly involving dependent information. - No other W2Copy clients have reported similar issues.

What It Means: The incident appears to stem from stolen or guessed employee credentials rather than a vulnerability in the W‑2 platform. Attackers likely used valid accounts (MITRE ATT&CK T1078) to log in and download tax documents, enabling fraudulent filings. The lack of exploit evidence means no CVE applies, but the tactic aligns with credential‑theft campaigns observed against education sectors.

Mitigations / What Defenders Should Do: - Enforce multi‑factor authentication for all portal access, preferably phishing‑resistant methods. - Monitor login attempts for impossible travel, unusual geographic patterns, or spikes in failed attempts (UEBA rules). - Reset passwords for all accounts that accessed the W‑2 portal during the investigation window and require password change at next login. - Deploy credential‑screening services to prevent reuse of passwords exposed in prior breaches. - Conduct targeted phishing simulations and training for payroll and HR staff. - Review and harden API endpoints that serve tax documents, ensuring they require MFA and session‑level validation. - Maintain detailed access logs for at least 90 days and enable alerts for anomalous data downloads.

What to watch next: LACOE’s ongoing investigation may reveal the scope of credential exposure and whether additional districts are impacted; defenders should watch for updates on any identified credential‑dump sources or related phishing campaigns.