Data Breach at Olympia School District
Employees personal information released in phishing scam
By Greg Mohan
Olympia School District fell victim to a ‘phishing’ scheme on Tuesday, April 12. Phishing is a pervasive internet scam in which people impersonate someone online to trick others into giving out personal information. In this case, scammers tried to solicit information of employees from Olympia School District using a fake email account that mimicked the district Superintendent’s, Dick Cvintach. One individual, who was never identified, responded with a PDF file that contained the names, social security numbers, addresses, and salary information of anyone who received a W-2 form during the 2015 tax year. 2,164 employees were affected by the scam including the sender, the superintendent, and currently enrolled student employees between the ages of 16 and 18.
The district’s website suggests the data breach occurred at approximately noon on Apr. 12 with notification of the incident sent out within an hour of discovery, around 7 p.m. the same day. In addition to contacting the employees who were affected by the breach, the district stringently followed policy for responding to data breaches, including a new law introduced in 2015, RCW 42.56.590, that states, “a business, individual, or public agency that is required to issue a security breach notification to more than 500 Washington residents as a result of a single security breach shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.” The district also contacted the Olympia Police Department and the Internal Revenue Service as initial responses.
District officials consulted security experts, legal counsel, their insurance carrier, and their technology team in an attempt to explore all avenues towards securing employee personal data. Within two days’ time, the district offered potential solutions to the breach. They suggested all employees independently apply for a free credit check and file an Identity Theft Affidavit Form with the IRS. Employees over the age of 18 will eventually be provided access to credit monitoring services at the expense of the district, which includes $1 million identity theft insurance per person, services which are just now becoming available. Employees under the age of 18 will receive the benefit of similar services targeted specifically towards minors. In addition, the district is offering to cover any costs already incurred by employees from attempts to secure themselves from identity theft.
One message sent out by Susan Gifford, Director of Communications and Community Relations at OSD, suggested those affected by the scam remove birthdays from Facebook and other social media due to the fact that tax returns cannot be fraudulently filed without them. Dates of birth were not included in the email received by scammers.
As a result of the incident the district plans to incorporate “additional safety and security training for all staff, especially as it relates to the transmission of private information via email, Internet, and phone,” as stated in a letter released to staff on April 18. Included in this letter, made publicly available through their website, was an apology from Superintendent Cvintach stating, “We are truly sorry for the impact of this incident to employees. We care deeply about the security of each of our current and former employees and will work diligently to prevent similar incidents in the future.”
An Evergreen student and part-time employee of the district, Mia Morettini, shared her own personal reaction to the incident, “I wasn’t urgently worried about everything because there’s really not much to steal from me. I don’t have credit cards and things like that, that other people are really concerned about. What’s been happening is anytime there’s an update the teacher I work with tries to forward me the emails because for whatever reason I’m not on their email contact list and I just get weird cryptic phone calls that are all recorded messages. I don’t have experience with this kind of thing: my credit info and social security stuff. I understand what it is basically, but I feel like I need this to be explained to me very basically as if I’m a child. It’s just a little bit of confusing language and procedural stuff I’m supposed to go through. Being that I’m still new to being an adult, I’m figuring all this out right now. I mostly feel annoyed because most of the times I hear about identity theft the risk of it is because someone was being careless with their personal information or where they’re using their credit cards, things like that. For me, I don’t even have anything like that yet. All I did was become an employee with Olympia School District. It’s entirely out of anything I could do, any of my control. At the same time going through it and having other people go through it with me and being able to figure out what I’m doing since I’m so new to everything made it a lot less scary than I always thought it would be. It’s not the end of the world, it’s just something shitty that happens to people. Because it happens to people so much there are steps to take to protect yourself.”
Moretini, also a part-time employee of the Evergreen State College, suggested that Evergreen itself seems to take stringent measures towards preventing such an incident from occurring at the college. “We have to go through training. Basically telling us what we can and can’t share with people: what information. It’s strict. Even if a person’s parent calls for information there are only certain kinds of information we’re allowed to give them about their child.”
Moretini was unable to comment on preventative training for full-time employees in OSD but suggested that she had received no prior preventative training from the district in regards to data and information security.
Data breaches have taken up much of the public’s attention in the past few years after the massive breach that affected over 70 million Target shoppers in 2013. Following this incident data breaches have been mostly associated with the retail industry, although the most affected industry is actually the healthcare sector, accounting for more than a fourth of all breaches (26.9%) in the last decade according to a study done by Trend Micro. The second was the education sector (16.8%). While not all victims of data breaches are affected by identity theft, Javelin Strategy & Research states, “one in five data breach victims suffered fraud in 2015, rising notably from one in seven in 2014.” The ramifications of identity theft can be very serious. According to the Federal Trade Commission, “once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file a tax refund in your name and get your refund. In some extreme cases, a thief might even give your name to the police during an arrest.” It is important to note that in the breach that occurred at OSD scammers did not obtain any bank or specific credit card information from employees, making it more difficult to manipulate already existing accounts.
Often times incidents of identity theft do not develop until months and even years after the initial occurrence of data breaches. While there is no hard and fast resolution to the situation at OSD, district officials have done everything in their power to limit potential damage to employees.