The Los Angeles County Office of Education (LACOE) is investigating a suspected compromise of electronic tax documents belonging to teachers and administrators after employees across multiple school districts received IRS notifications that fraudulent tax returns had already been filed in their names. LACOE manages payroll services for more than 150,000 employees across approximately 100 school districts, community colleges, and charter schools, raising concerns that the affected population could be substantial. The agency has engaged external experts and its W-2 vendor, W2Copy, to assess the scope of the incident.

What Happened

Employees at school districts on opposite ends of Los Angeles County began receiving letters from tax authorities indicating that returns had been filed under their Social Security numbers without their knowledge. The Lancaster School District confirmed impact to an unknown number of employees, with reports surging after staff returned from spring break and attempted to file legitimate returns. Officials first became aware of the pattern through reports from a neighboring district, and the count has grown daily as more employees complete their filings. Notably, employees who filed their taxes early did not receive fraudulent-filing notices, suggesting the unauthorized filings occurred in a recent window tied to the tax season crunch.

The Los Angeles Unified and Long Beach Unified school districts, the county's two largest, confirmed they do not use LACOE's electronic tax document portal and their employees were not impacted, pointing investigators toward the shared LACOE or W2Copy infrastructure as the likely point of compromise.

What Was Taken

The stolen data consists of electronic W-2 tax forms, which contain the complete package of information needed to commit tax refund fraud and broader identity theft: full legal name, home address, Social Security number, employer identification, and annual wage and withholding data. The presence of fraudulent IRS filings confirms that attackers extracted the Social Security numbers and wage data at minimum. Full scope remains undisclosed, but the LACOE payroll service footprint of 150,000 employees across roughly 100 educational institutions represents the upper bound of potentially exposed records.

Why It Matters

W-2 theft campaigns have been a perennial target for organized fraud rings because the data enables immediate monetization through fraudulent refund filings, and the tax season timing ensures victims may not notice until they attempt to file legitimately. A compromise at the vendor or aggregator level, rather than at individual districts, is particularly damaging: it produces a cross-district exposure pattern that bypasses the security controls of each individual employer. For public sector defenders, this incident illustrates the concentration risk inherent in shared payroll and HR service providers, where a single vendor breach can cascade across dozens of downstream organizations simultaneously. Education sector employees are also less likely to have robust identity monitoring in place compared to private sector counterparts, extending the dwell time of downstream fraud.

The Attack Technique

LACOE has not publicly confirmed the intrusion vector, but the pattern is consistent with known W-2 harvesting tradecraft. Common techniques include credential stuffing or phishing against the electronic W-2 portal, exploitation of weak or default authentication on employee self-service sites, compromise of vendor-side infrastructure, or business email compromise targeting payroll administrators. The fact that impacted employees span multiple geographically separated districts but share the LACOE payroll pipeline strongly suggests the access point was upstream at the W2Copy vendor platform or the LACOE-managed portal itself, rather than individual district systems. The concentration of fraudulent filings in a recent window, rather than across the full tax season, indicates either a fresh intrusion or a delayed weaponization of previously exfiltrated data to align with peak filing activity.

What Organizations Should Do

1. Audit third-party payroll and W-2 distribution vendors immediately, requiring evidence of multi-factor authentication, logging, and recent penetration testing on employee-facing portals.
2. Enforce MFA on all employee self-service portals that expose tax documents, wage data, or direct deposit information, and disable legacy authentication protocols.
3. Monitor for anomalous access patterns on W-2 portals, including bulk downloads, off-hours activity, and authentication from unusual geographies or ASNs.
4. Proactively notify employees to file their taxes early, request an IRS Identity Protection PIN (IP PIN), and place fraud alerts or credit freezes with the major bureaus.
5. Review incident response playbooks for vendor-originated breaches, including legal notification triggers under California's data breach law and coordination paths with the IRS Criminal Investigation division.
6. Offer credit monitoring and identity restoration services to affected staff, and establish a dedicated internal communication channel for employees reporting fraudulent filings so trend data can be captured in real time.

Sources: Tax documents for school employees potentially stolen across LA County – San Bernardino Sun