PA: Thomas County School District notifies employees of online banking system breach

From their notification:

March 5, 2019

The Thomas County School District values its employees and wants you to be aware of an incident that may involve your bank account information. We recently became aware of a breach of our online banking system. After discovering the issue, we immediately engaged BlueVoyant, a leading IT investigation and security firm, to determine the facts. Protecting the security of our employees’ personal information is a top priority for the District. We value and respect the privacy of your information, and we sincerely apologize for any concern or inconvenience this may cause you.

What Happened?

The District was recently the target of malicious cyber activity. Criminals obtained unauthorized access to a computer with banking information stored on it, including employee payroll information. The employee payroll information included the names, employee ID numbers (not Social Security numbers), bank account numbers, and bank routing numbers for District employees. Soon after discovering the potential breach, the District retained BlueVoyant to deploy specialized software to prevent further attacks.

We are still conducting our investigation into the scope of this attack. We wanted to alert you of these facts so you can make informed choices about your use of your bank accounts and how best to protect yourself from potential fraud associated with any unauthorized access to your bank account information.

When Did This Happen?

Our investigation to date has revealed the breach may have occurred beginning around February 7, 2019. The breach may have continued for several days after.

Read the full notification here (pdf).

Of note, it sounds like they had some good defenses:

Fortunately, the fraudulent transfers were prevented by certain control processes maintained by our banking relationship and no money was lost.

That said,  they do not disclose how the threat actor gained access to the computer with banking information on it. Did an employee fall for a phishing attempt? From other suggestions in the notification letter, it seems possible or even likely.

About the author: Dissent