March 9, 2015

Shredding documents, monitoring credit ratings — doing everything right is still no guarantee personal information will stay safe. And Dan Byrnes, director of sports facilities management and recreation services at Ball State, knows firsthand how maddening that is.

“As one agent of the credit bureaus stated, your Social Security number is out there forever, so the journey of protecting our family’s identity looks like it will be a lifelong pursuit. That’s scary,” said Byrnes, who learned his family’s information was compromised when an IRS-issued debit card he wasn’t expecting arrived in the mail. “It is frustrating to have one incident that is not your fault cause so much stress and inconvenience, particularly when you think you have done all the right things in protecting your identity and financial health.”

Bernie Hannon, vice president for business affairs at Ball State, said university officials have contacted or are working with the IRS, the FTC, the Indiana attorney general and the Indiana Department of Revenue, among others, as investigations continue into tax refund related fraud and other identity theft issues. Hannon said that to date, university officials are aware of 80 Ball State employees who have confirmed fraudulent tax reports were filed in their names. He added university officials are still urging those who encounter difficulties to report the issue to the police department in the town in which they reside.

“Identity theft is just a massive, nationwide problem,” Hannon said. “But that mass of numbers is little consolation to the individuals working through the issue.”

To that end, Hannon said the university has established a new information resource specifically for employees who have questions or concerns about identity theft. The Identity Theft Information Line, accessible by calling 765-285-4883 or emailing, was launched today, March 9, and Hannon said it will remain active at least through tax season and as long thereafter as it is needed to help address employees’ concerns. The line will be staffed from 8 a.m. to 7 p.m. Mondays through Thursdays and from 8 a.m. to 5 p.m. on Fridays. In addition, the university has created a webpage with information about how Ball State employees can protect themselves from identity theft at

Meanwhile, Loren Malm, associate vice president for information technology, said his team members are keeping close tabs on university systems.

“We’re monitoring key systems, services, and processes used to handle employee and student information. Privacy and security are of the utmost importance, and Ball State takes numerous safeguards at multiple layers to prevent unauthorized disclosure of confidential information,” Malm said. “We continue to monitor the network and systems, and we’ve not detected evidence of malicious activity suggesting a breach.”

While Anthem has confirmed that Ball State employees are among the estimated 80 million people whose personal data was compromised in a Feb. 4 security hack, the trend is not limited to the health insurance giant. Last October, JPMorgan Chase revealed an estimated 83 million account holders’ information was at risk. Prior to that, retailers including Target and Home Depot were compromised. Even credit reporting service Experian was breached in March of last year, exposing an estimated 200 million consumers.

Despite increased awareness and efforts by companies to secure information, experts say the incidents are only likely to increase. Fran Rosch, senior vice president at Symantec, a computer security and software firm based in California, testified last year before a U.S. Senate Judiciary Committee that millions more are at risk of exposure.

One reason, said Frank Groom, a Ball State information and communication sciences professor, is that hackers are becoming increasingly sophisticated. The general pattern is that skilled hackers, frequently from China, Russia, Eastern Europe, and sometimes Western Europe cause disruptions by accessing American companies’ data centers, he said.

“This has been going on for years, but in isolated clusters, so the news stays local,” Groom said. “For example, there is not much national news about the Ball State and Western Kentucky tax fraud. However, Hagens, Berman, Sobol, and Shapiro LLP of Seattle have filed a class action lawsuit against Anthem for the lack of security of customer identity information. There must be some activity there in Seattle. Furthermore, Bloomberg Business and the Insurance Journal have stated that the FBI has tentatively identified Chinese state-sponsored hackers as the Anthem thieves.”

Groom believes hacking will only get worse because the skills and tools of hackers are at the highest levels, and many are sharing information.

“They are so proud of their knowledge and skills much like the telephone hackers of years ago,” Groom said. “These materials are publicly available, and you can download instruction manuals on how to perform these operations — although the FBI might visit you afterward if they are alert.”

So Robert Siciliano, identity theft expert with, said regardless of whether someone is concerned about data being compromised, the best defense is a good offense.

“First and foremost, consider your data breached,” he said. “Assume that more than likely your information is in the hands of criminals.”

Siciliano said that in the same way responsible drivers have car insurance, responsible consumers should enroll in an identity theft protection service. “That’s one of those things in life now that you should just have. If you go out for a nice dinner, you’re going to spend $100 to $150 on that dinner. You should be willing to spend that on identity theft protection.”

Ball State employees who are Anthem plan members can enroll in an online identity theft and credit monitoring service at no cost to them at for the next 24 months. Anthem is providing the service through AllClear ID.

Additionally, Siciliano recommends that consumers enact a credit freeze through the three credit reporting bureaus.

“It does not negatively impact your credit in any way,” he said. “When you want to get credit, you can lift that freeze temporarily.”

Victim adviser Matt Davis, with the ID Theft Center, said parents can take those same steps to protect their child’s information. Parents should start by requesting a credit report for their child.

“If they say no credit file exists, that’s good news,” Davis said. “If a file exists, request a credit report before setting a freeze.”

The report before the freeze is critical, Davis said, because a freeze does not prevent someone from using a credit card that’s already been opened. And a report can’t be obtained once a freeze has been set. So verifying that a child’s information is “clean” is the first order of business for parents. And if parents don’t want to request a freeze, they can still request three credit reports annually for a child’s Social Security number, as is allowed by law.

Bruce Geelhoed, professor of history, said he did everything recommended after learning he and his wife’s taxes had been fraudulently filed. Now, Geelhoed looks to the future.

“We shred our documents, nobody gets our Social Security numbers ... we try to stay as buttoned up as we can,” he said. But the pervasiveness of identity theft means he’ll do more. “People are just going to have to make adjustments for their own protection. My wife and I are going to have to consider what increased measures we can take to avoid future problems. No one can totally prevent it, but we can take steps to avoid it.”

For more information about protecting yourself from identity theft, visit the National Crime Prevention Council. And for information about the types of identity theft and other information, visit the ID Theft Center victim resources page.

Ball State will continue to update this story as information becomes available.  

By Lisa Renze-Rhodes, Marc Ransford and Greg Wright