Update Feb. 2, 2017: The list for 2017 has been moved to its own post that will be updated as more incidents are reported.
Original post:
First it was Dracut Schools. Then it was Tipton County Schools and then Odessa School District whose employees had their SSN and information from W-2 forms acquired by criminals in phishing attacks. And now there’s another successful W-2 phishing attack. Kathy Brown reports:
Social Security numbers and W-2 information for about 1,400 employees who worked over the past year at Campbell County Health were mistakenly released sometime Wednesday to someone impersonating a hospital executive.
Read more on Gillette News Record.
- Update: Add Marin Software to this year’s list (is anyone creating one?) of entities whose employee W-2 data was compromised by a phishing attack.
- Update 2: And now add 1,900 employees at UGI Utilities.
- Update 3: And now add employees of Sunrun.
- Update 4: And add Lexington School District Two in SC.
- Update 5: And add Mercedes ISD in Texas.
I’ll just skip the “UPDATE” prefaces and keep going, huh? …
THE 12-STEP PROGRAM FOR PHISHING
STEP 1: prole opens e-mail message at 12:01am from company CEO, who has never communicated with said prole before:
From: You’re Boss
To: Miss Cellanious
Subject: W-2 Request for all employees’ W2
Dear Mis Cellanious: It is URGENT that you send me list of W-2 copy of employees wage and tax statement for 2015 I need them in PDF file type you can send it as an attachment kindly prepare the lists and email them to me asap.
STEP 2: prole responds to message promptly, including the data as a PDF and Excel worksheet to demonstrate prole be working extra hard.
STEP 3: affected employee complains to supervisor; nothing happens
STEP 4: affected employee complains to supervisor; nothing happens
STEP 5: affected employee complains to supervisor; nothing happens
STEP 6: affected supervisor complains to VP; nothing happens
STEP 7: affected supervisor complains to VP; nothing happens
STEP 8: affected VP complains to EVP; EVP sends email to IT Tech, nothing happens
STEP 9: IT Tech receives warning that IT Tech’s identity may have been compromised.
STEP 10: IT Tech researches matter; phishing email discovered
STEP 11: PR department notified, issues press release:
“We take this matter and the security of personal information very seriously and we will continue to review and enhance our security practices to further secure our systems. We will be offering identity protection services to those employees affected from what we describe as a leading identity monitoring service.”
STEP 12: prole opens e-mail message at 12:01am from company CEO, who has never communicated with said prole before.
few more I don’t see noted here:
1/27/2017 TransPerfect (NY/DE) ~3000 http://www.delawareonline.com/story/money/2017/01/27/transperfect-workers-victimized-data-breach/97129850/
2/1/2017 Davidson County Schools (NC) 1/31/2017 http://myfox8.com/2017/02/01/davidson-county-sheriffs-office-investigating-email-spoofing-attack-involving-school-system-employees-w-2s/
2/2/2017 Dare County Schools (NC) http://wnct.com/2017/02/02/dare-county-sheriffs-office-warns-school-employees-of-e-mail-scam/