By Shelby Horton
On March 24, a “phishing” email was sent to an HCC employee, claiming to be from Carter File, the college’s president.
“Hi, I just got a memo from the Internal Revenue Service asking us to verify our employees W-2s we have with them.
“You need to email me an updated list of individual W-2 copies of all employees wages and income tax statements for 2015 tax year in (PDF) file format for a quick review. Prepare the list and send it as an attachment to me ASAP. Regards,
Sent from my iPad”
The email was missing some punctuation.
Its “Reply-to” email address was unusual. It was “firstname.lastname@example.org.”
Coding on the “received from” part of the email — “X-GeoIP-Country: FR” — indicated it came from France.
The HCC employee was not comfortable with the request.
But after talking with some other employees about the unusual email, the worker attached the requested files: 2015 Tax Year W-2 information for 1,357 employees, including all faculty, staff, administrators and many student workers.
Then the worker hit “Send.”
This action would affect the financial security of people like Kim Newberry, sociology teacher at HCC.
All of her W-2 information, including Social Security number, home address and income, was sent out with the rest.
“My biggest issues in this whole mess is the lag in time between when this breach was discovered and when we (HCC employees) were notified,” Newberry said.
“It took less than a week for the criminals to attempt to file a tax return in my name.”
Many employees have expressed disbelief that such records would be sent out without checking with upper management to see if the request was real.
File has declined to discuss details of the incident, other than to speak about it in general.
“This was a human error, not a system breach,” File said, on April 5.
“This is the only breach that we’ve identified since I’ve been president at Hutchinson Community College.”
A new protocol has since been put in place: Only after obtaining a direct “voice” confirmation from a supervisor, from at least the college’s vice-presidential level, can any employee release that kind of information, File said.
Currently, the most likely outcome is that one or more criminals will try to file false income tax returns for the employees.
That already happened to Newberry and reportedly to dozens of other HCC instructors.
Newberry was notified when someone attempted to file fraudulent tax forms in both her and her husband’s names; both are employed at the college.
HCC has taken steps to stop any more employees from being put at risk — by signing an agreement with Kroll Monitoring Service to provide one year of monitoring for all of its employees.
Kroll is a data security service that HCC employees are encouraged to sign up for, to monitor their credit card accounts, bank accounts, and social security numbers.
If someone attempts to use an employee’s information, Kroll will send an alert and determine if it really is the employee opening credit card accounts, making purchases, or filing a tax return.
Kroll includes remediating services and a million-dollar insurance policy per person to cover damages from hackers.
Students and employees were sent emails on April 1 to notify them that they needed to sign up with Kroll.
File said if all employees sign up, it will cost the college about $100,000 for one year’s coverage, but there is a good chance that the college’s insurance will cover that cost. The insurance company is reviewing the matter, he said.
Each employee is to enroll online or by phone with Kroll to activate coverage, using an I.D. number sent to each person by Kroll, via HCC email, after its agreement with the college.
In order to enroll with Kroll, each person will need the I.D. number that was sent to him or her, by April 1 email or by a letter.
A meeting was held April 5 in Stringer Fine Arts to address employee concerns about the breach, about Kroll and how to sign up. But while there were many HCC staff members in attendance, there were few student workers.
“I don’t think the students are informed enough; some students don’t even check their DragonZone (email) regularly,” said Cynthia Perez, Wichita.
HCC students who attended the meeting voiced concerns about the situation, including Holly Wright, Wellington, who worried about her credit being ruined at a young age, when she’ll need it for college loans and other expenses.
While the college filed a police report with Hutchinson Police and the breach is currently under investigation, no arrests have been made. At least nine HCC employees also have filed police reports, in regard to attempts by criminals to file false tax returns in their names, since March 24.
Many employees fear that they could be attacked years, or decades, down the road, by criminals using their Social Security numbers. The college plans to pay for one year of I.D. monitoring, then decide whether to extend the coverage, based on criminal activity, File said.
Employees discussing the situation have reported going through cycles of worrying and anger over the breach and the ease with which the criminals got away with the W-2 files, just by asking for them.
HCC may find it difficult to regain their employees’ trust and confidence, Newberry said.
“I’m very disappointed in this data breach mess, and of course my trust is diminished,” she said. “My personal info was actively placed into criminal hands.”
A copy of the March 24 “phishing” email was obtained from the college after Shelby Horton, editor of The Hutchinson Collegian, delivered a Kansas Open Records Act request to the college on April 11.
According to sections in the Open Records law, the college had three days to respond to the request, either with the requested information, or with references to potential exemptions in the law to allow them to refuse.
At midday Wednesday, April 14, the college emailed the information to Horton.