Belton Independent School District employees may have to use vacation time to deal with aftereffects of a January data breach, a spokesman said Friday.
BISD’s administration was the victim of a “spear phishing” email scam this winter. On Jan. 27, a BISD employee responded to an email that appeared to have been sent by Superintendent Susan Kincannon, attaching 1,700 W-2 forms to the response. But the original email was not from the superintendent; it came from a scammer seeking personal identification data on employees and former employees.
Two unnamed staffers resigned over the breach. Law enforcement and the IRS were notified.
Since that time, some district employees reportedly received letters from the IRS informing them that they must travel to an IRS office in person to confirm their identity in order to complete the process of filing their 2016 taxes and receive their refund.
“We’ve had less than a hundred employees report that they’ve received the letters,” BISD communications director Kyle DeBeer said.
There are IRS offices in Waco and Austin.
DeBeer said that if these IRS appointments conflict with employees’ work schedule, the district’s leave policies require them to take time out of their personal leave.
“Our human resources department has talked with employees about finding ways to minimize that when possible,” he said.
Some hourly employees, such as paraprofessionals, may be able to make up their lost time on other days, DeBeer said.
“In the case of some teachers, there have been discussions of if it’s possible to schedule the appointment so it’s not a full half-day,” he said.
But the district cannot give employees an extra day off to remedy the data breach effects without violating policies set by the board of trustees, DeBeer said.
BISD board president Randy Pittenger said the issue hasn’t come before the board yet, and that they wanted to take care of school employees. He was hopeful the human resources department could come up with a fair solution.
“We clearly understand that this is an inconvenience for employees that are receiving these letters,” DeBeer said. “We’re very sorry that the breach of their personal information happened in the first place…. We understand that this places a burden on them and we’re sympathetic to that.”
According to a 2015 report from the U.S. Treasury Inspector General for Tax Administration, identity theft victims frequently experience long delays in receiving tax refunds.
In 2012, the IRS took an average of 312 days to settle the accounts of identity theft victims owed a refund. In 2013, the agency was able to reduce that average to 278 days.
DeBeer noted that some employees found ways to deal with their IRS problems in their own time. Sticking with the official leave policy is an attempt to maintain consistency and fairness, he said.
“A big question is what’s fair, and what’s fair to everyone who was affected, including people who have found time to answer it on their own,” DeBeer said. “It’s an effort to be consistent and be fair — consistent not just with our policy but consistent with how all our employees are treated.”