Kentucky State University was hit with a data breach on March 22 when an employee, responding to an email supposedly from the school’s president, sent off W-2s for employees and students.
How many victims? 1,071 people
What type of information? 2015 W-2s and university identities for employees and students, including names, Social Security numbers and addresses.
What happened? An attacker impersonating the school’s president, Raymond Burse, sent a phishing email to a staffer requesting 2015 W-2s for employees. The employee sent the data unaware that the email was not from Burse.
What was the response? In a posting on KSU’s website, Burse announced that the school has taken steps to mitigate the consequences of the breach and has notified the three major credit reporting agencies. As well, federal and state authorities were notified and are investigating. Burse recommended that those effected “closely monitor” all financial accounts, urged victims to contact the three credit reporting agencies for free credit reports, and offered a free, one-year memebership to an ID monitoring product from one of the credit agencies.
Details The police report reveals that 1,071 people had their personally identifiable information compromised by the breach. KSU reported that 452 of those affected are current regular employees, 210 are students, and the rest are former employees.
Quote “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” Internal Revenue Service Commissioner John Koskinen said in an IRS release.