Kentucky State University in Frankfort has informed its employees about a data breach, including information from W-2 tax forms.
On Tuesday, the university posted this alert on its website: “This correspondence is to inform you of a data breach that occurred on March 22, 2016, and involved the inadvertent disclosure of personally identifiable information of current and former Kentucky State University (“KSU”) employees. The data included KSU W-2s for 2015 and university identification information.”
The posting said KSU “has already taken action to limit the effects of this breach and to identify” the responsible culprits. Federal and state authorities have been notified and are investigating, KSU said.
The university said it had notified all three major credit-reporting agencies.
The Internal Revenue Service issued an alert to payroll and human resources professionals this month to beware of a phishing email scheme that purports to be from company executives and requests personal information on employees.
The IRS learned that the scheme — part of a surge in phishing emails seen this year — has claimed several victims as payroll and human resources offices mistakenly emailed payroll data, including W-2 forms that contain Social Security numbers and other personally identifiable information, to cybercriminals posing as company executives.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” IRS Commissioner John Koskinen said in a release. “Now the criminals are focusing their schemes on company payroll departments.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
The IRS issued a wider consumer alert for email schemes after seeing an approximate 400 percent surge in phishing and malware incidents this tax season and other reports of scams targeting others in a wider tax community.
KSU recommended some steps for employees to limit the exposure of personally identifiable information.
The university advised employees to monitor all financial accounts closely and, if they see any unauthorized activity, promptly contact their individual financial institution and/or submit a complaint to the Federal Trade Commission, Suite 1825, 55 West Monroe Street, Chicago, Ill. 60603; calling 1-877-ID-THEFT (1-877-438-4338), or go to Fccomplaintassistant.gov.
In addition, to learn more about steps to protect against identity theft, employees may contact the Kentucky Attorney General’s Office, Office of Consumer Protection, 1024 Capital Center Drive, Frankfort, Ky., 40601, by calling 1-855-813-6508, or going to Ag.ky.gov/family/consumerprotection/idtheft/Pages/default.aspx
KSU employee also may want to contact the three U.S. credit reporting agencies (Equifax, Experian and TransUnion) to obtain a free credit report from each by calling 1-877-322-8228 or by going to Annualcreditreport.com.