BELTON — The personal information of 1,700 current and former Belton Independent School District employees was compromised Friday when a district employee fell victim to a “spear phishing” email scam.
The data breach was discovered Monday and reported to the Belton Police, the IRS and the FBI. Affected employees were notified by email on Tuesday and will be notified by mail as well.
“In our business office, an employee received an email from someone posing as the superintendent asking for W-2s for employees,” said Kyle DeBeer, communications director for BISD. “The employee responded to the email, providing copies of 1,700 W-2s. ... Obviously, the email was not actually from the superintendent.”
DeBeer said that two employees responsible for the data breach resigned. BISD superintendent Susan Kincannon was not available for comment, but she did email her regrets to those affected.
“Protecting your privacy is an important responsibility, and I take it very seriously,” Kincannon said in the email. “I recognize this issue is frustrating, and steps are being taken to protect you and safeguard the personal information we receive and maintain going forward.”
An IRS representative said that he could not comment on a specific case. However, according to a 2015 report from the U.S. Treasury Inspector General for Tax Administration, identity theft victims frequently experience long delays in receiving tax refunds.
In 2012, the IRS took an average of 312 days to settle the accounts of identity theft victims owed a refund. In 2013, the agency was able to reduce that average to 278 days.
DeBeer said that not all employees were affected. Current and former employees had the option of either claiming their 2016 W-2s online through the Skyward information management system or of having a paper copy mailed to them.
“If you opted to print it yourself through Skyward, as an employee, you would not be included in this breach,” DeBeer said. “It was only employees who opted to have a printed W-2 mailed to them.”
Paul Romer, public information officer for Belton, confirmed that a police report was filed.
“It’s the practice of the Belton Police Department to not comment on open cases,” Romer said. “This is a good reminder to the public to safeguard information, especially this time of year.”
DeBeer emphasized that this problem was due to human error rather than a flaw in the district’s computer security.
“This is a ‘spear phishing’ email attack, so it wasn’t that someone hacked into a computer system,” he said. “They used social engineering techniques to convince an employee to release information that obviously should not have been released.”
“Spear phishing” is a specific type of scam in which the victims receive an email that appears to be from someone they know, and that uses personal details about their lives or recent purchases to persuade them to give up private information.
“The IRS has indicated that they will monitor tax returns for affected employees to try to prevent fraudulent tax refunds from being paid out,” DeBeer said.
DeBeer explained that the district has insurance coverage for incidents such as this, and will be using that money to pay for two years of credit monitoring for affected employees. Information on how to sign up for the free credit monitoring service will be sent to those affected.
DeBeer also said that the district periodically reminds employees to be careful in handling personal data.
“There are a variety of pieces of training that start with an employee handbook that emphasizes the importance of protecting the privacy and personal information of employees and students,” he said. “As recently as last December a reminder (was sent) from our technology department about how not to fall for email scams.”