Feb 202019

Ding! Ding! Ding!

I think we have our first W-2 phishing report of this year, although of course I may have missed other ones. This one involves the Centinela Valley Union High School District in California.  From their notification to the state:

As a follow up to the email sent to you on January 31, 2019, we wanted to provide you additional information about the recent incident involving your personal information.

What Happened

On January 31, 2019, we learned that one of our employees received a phishing email designed to appear as if it came from one of our other employees. Upon discovery, we immediately began an investigation to determine the scope of the incident and to verify what information may have been affected. We also notified the IRS, state tax boards, and federal law enforcement authorities, and we are cooperating with their ongoing investigation.

As a result of this phishing incident, an unauthorized individual may have obtained IRS Form W-2 information for our employees, including employee names, addresses, Social Security numbers, and 2018 wage information.

Read more of the full notification here.

As of the 2008-2009 school year, the district had 614 employees. I do not yet know the current number, however.

Feb 172019

Linda A. Moore reports:

A former Rhodes College student pleaded guilty Tuesday to hacking into the college’s computer system to change his grades and keep his scholarship.

Michael Geddati, 20, was a freshman pre-med major when between December 2017 and May 2018, he accessed various systems without authorization to raise his grades.

Geddati’s actions were detected after a faculty member noticed that the grade in the computer system was higher than the one Geddati had earned.

The investigation showed that on dozens of occasions, Geddati logged in as an instructor. He frequently changed his grades and was able to download an exam ahead of when it was given.

Read more on Commercial Appeal, including a description of the terms of a plea deal and a statement from the college.  And because Geddati’s job involves working with computers, he has been ordered to tell his employer about the case. The judge told Geddati, “They need to know what you’ve done and what you’re capable of doing.”


Feb 162019

Kevin Landrigan reports:

Manchester school administrators confirmed Friday that a data breach occurred when individual student scores on tests were inadvertently sent to all families of Hallsville Elementary School students.

The individual score sheets were attached to an email sent out on the results of the latest iReady data on reading and math tests which had showed some progress for the K-5 school located at 275 Jewett St., officials said.

Read more on Union Leader.

Feb 152019

Someone asked me today about the lack of W-2 phishing reports or W-2 incidents that we’ve seen so far this year.  I responded that I hadn’t really had time to research W-2 attacks yet, but a reader, “DLOW,”  has now kindly submitted a news story by Mary Richards of KSL in Utah. The kinds of tax documents involved in this incident do not contain full Social Security numbers like W-2 forms do, but it’s still a tax document incident:

Forty-two thousand students at Salt Lake Community College are learning that their tax documents got lost.

An email sent to students and obtained by KSL Newsradio explained that a memory drive with tax documents for the students somehow fell out of an envelope on its way from a contracted company to the college.

SLCC spokesman Joy Tlou said that when the college processes these documents that deal with the 1098-T tax form used for getting educational tax credits, the college goes through a third-party vendor and uses a secured cloud server to access the information. That information is then also backed up on a memory drive and sent to the college.

Read more on KSL and see the FAQ on the incident.

Feb 152019

Julia Ingram and Hannah Knowles report:

Before this week, Stanford students could view the Common Applications and high school transcripts of other students if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).

Accessible documents contained sensitive personal information including, for some students, Social Security numbers. Other obtainable data included students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible.

Students’ documents were not searchable by name, but were instead made accessible by changing a numeric ID in a URL.

Read more on The Stanford Daily.