On February 19, I reported that I was finding 2016 W-2 tax statements for sale on the darknet. In that post, I noted that I was not identifying one Florida college I had contacted that day to alert them that at least one of their employees’ W-2 statements was up for sale – and that others might be, too. Their CISO contacted me the next morning and began an investigation.
Over the past few weeks, I have stayed in contact with the college to follow up. I also managed to contact the darknet vendor, who claimed that he had not phished the college for the W-2 statements, but had hacked the college and had acquired approximately 23 W-2 statements from high-income employees plus other W-2’s of lesser value. DataBreaches.net contacted the college again to suggest that they might be looking for evidence of a hack, and not a phishing scam.
Today, I see that the college, Daytona State College, notified the Montana Attorney General’s Office of a breach. Their template notification, available here, was dated the day I informed them that they might be looking for a hack. Their letter reads, in part:
We are writing to let you know about a data security incident potentially involving your W-2 information and to provide you with steps you can take. Please read the following security information.
What Happened
On February 19, 2017, Daytona State College (DSC) became aware of a potential security incident involving certain employee information. At this time, we believe the information at issue includes 2016 W-2 information. Our investigation into this matter is ongoing, and we have not yet confirmed the nature or scope of the incident, including whether this incident involves DSC systems or precisely who and what information may be impacted. However, in an abundance of caution, we wanted to make you aware of the incident and to provide you with steps and services you can take to protect your information.
Kudos to them for alerting staff even though they had not yet definitely identified the scope of the potential problem or the method of attack. Hopefully, at some point they’ll send me a statement or follow-up telling me what they found.
It was very nice of them to notify their employees? NOT! My wife and I both work at DSC, and neither of us were notified. This is the first we have heard of the matter.
Your notification might be in the mail, literally. Please let me know if you get one.
Keep in mind that DSC appears to have made the decision to notify even though they had not yet confirmed any breach of their system. Difficult situation for them, but I think they were trying to do the right thing by their employees.