A fraudulent email in a phishing attack released information for about 2,500 College of Southern Idaho employees.
A CSI employee replied to a fraudulent email account asking for employees’ W-2 forms Feb. 2. Forms for every CSI employee from 2015 and 2016 were sent in reply to the email, said Kimberlee LaPray, public information specialist at CSI.
The information in the forms included employees’ addresses, wages and social security numbers. The college has notified its employees about the release, holding two meetings to address their concerns Feb. 8 and Feb. 9.
“The latest technologies and best operational models and communication channels do not guarantee 100 percent safety from digital threats,” said Kevin Mark, CSI chief technology officer.
“While it’s unfortunate that CSI was victim of a spear-phishing scam, the technology systems behind the scenes did not malfunction in any way and did exactly what they were designed to do,” he said. “However, this scam is a harsh reminder to all of us who use technology that (employees) are the best defense to protecting digital systems and information.”
The college has cyber liability insurance, which will help monitor the credit of all the employees who were affected. CSI is also offering free identity protection services that will watch for misuses of employees’ personal information, LaPray said.
None of CSI’s employees have reported any negative effects from their information being released, LaPray said.
CSI revamped its cyber security protocols over the last year to create better communication between IT, administration and the human resources department and to teach safe computer practices to employees, Mark said.
But, the college now plans to conduct its cyber security training sessions more frequently in order to teach employees the importance of verifying information requests, he said.
“This situation has given us greater visibility to target areas we need to give more attention,” Mark said.
CSI’s cyber security system blocks an average of 1 million attacks a day including programs that attempt to force the release of digital assets, steal domain accounts and gain access to sensitive data, Mark said.