CORRECTION: I picked this up incorrectly as Pittsburgh in PA. A kind reader pointed out my error. This was Pittsburg in Kansas!
The City of Pittsburg hasn’t disclosed how many former and current employees had their W-2 data stolen in a phishing scam on January 30, but I’m betting it’s more than a few. Their press release of today appears below. Remember that we are tracking these W-2 phishing incidents here.
Tuesday, January 30, the City of Pittsburg was subjected to a sophisticated phishing scheme targeting employee payroll data. The attack resulted in the release of sensitive information for current and former city employees who received a W-2 for the 2017 fiscal year. The breach did not involve access to the City’s technical network, and no evidence has been found to suggest employee information has been misused.
The City is taking precautionary measures to protect anyone affected by the release. Within 24 hours of the data release, the City notified local law enforcement, IRS and FBI, sent critical communication to all impacted individuals, and provided complimentary identity theft protection services. The City is also providing technical support and enrollment assistance to those individuals.
“The safety and well-being of our current and former employees is incredibly important,” said City Manager Daron Hall. “This was not a technical attack against our firewall or network filters, but instead it was a social attack aimed at our employees. While we believe we have significant safeguards in place to reduce the risk of these types of threats, we take full responsibility for this incident occurring and will do better in the future to protect all sensitive data. I am proud of the way our management team worked quickly to identify the problem, the risk to those affected, and implement a solution within hours of the attack. We are in the process of analyzing our security measures against potential future incidents.”
According to the IRS website, the W-2 scam is just one of several new variations of phishing schemes that focus on the large-scale thefts of sensitive tax information. This email scheme pretends to be from company executives and requests personal information about employees, and uses the cover of tax season and W-2 filings to deceive people into sharing personal data.
The contractor selected to protect the employee information provides identity theft monitoring for financial accounts, stolen funds reimbursement, and a $1 million service guarantee per account. This 12-month coverage is being provided at no cost to affected individuals.