David Crowder reports:
In mid-April, computer hackers had five days’ access to the personal data of a reported 51 El Paso Independent School District employees and were able to redirect their April 15 paychecks.
That’s what the district has told the employees who were hacked, including longtime teacher Anne Stewart. EPISD made good on the missing paychecks, but Stewart and her husband James wonder if they’re getting the whole story.
Read more on El Paso Inc.
It seems that the district’s notification letter to 9,000 employees irritated at least a few of the recipients for seeming to blame the 51 victim employees for falling prey to a widespread phishing attack. The notification bulletin reportedly began:
“The recent phishing attacks on the district over the past several weeks were unprecedented in their frequency as well as the numbers of employees reached.
“51 account passwords were eventually given up and the paycheck direct deposits of the account owners were re-directed to the attackers’ bank accounts last payday, April 15.”
The notice told employees that the ultimate defense “is your alertness and critical analysis.”
“YOU CAN prevent the severity of these attacks by not clicking on links unless you absolutely know the sender and the link makes sense to you,” the bulletin reads. “In 2016, you cannot afford to be in a hurry, distracted, not thinking, nor sorry afterward.”
It goes on to advise employees that additional security measures are coming because phishing is a crime that hurts the district, taxpayers “and most of all the people who surrender those passwords.”
Wow. First, the spouse of one of those affected went through every email the employee received over the past few months, plus responses to them, and there was no request for a password or transmission of a password. So where’s the district’s evidence that the employees gave up their passwords and they are responsible for becoming victims?
Second, this is not the first time the district claimed it wasn’t responsible for a breach. Back in 2011, when a hack affected 70,000 employees and students, the district claimed it wasn’t liable because of government immunity.
This time, the district reportedly promised the 51 victims one year of credit monitoring services, but employees have not received the offer nor information on how to protect themselves.
Incident response grade? You be the judge after reading the article.