Hundreds of W-2 forms stolen from current, ex-city workers
Phishing email disguised as mayor sought payroll info.
Confidential information of more than 800 current and former City of San Marcos employees has been compromised after one employee fell for a phishing scam, officials said Thursday.
Officials learned Monday that a payroll employee had been sent a targeted phishing email on Feb. 22 that was made to look like it was from the mayor. The employee then sent back all of the city’s 2016 W-2 forms, which contain sensitive information including Social Security numbers.
Finance director Heather Hurlbert said the city figured out what had happened after a few employees reported that they had tried to file their tax returns and were rejected by the IRS because records showed that a return had already been filed.
Acting City Manager Steve Parker sent an email Tuesday afternoon to employees about the breach, which was first reported Thursday by KXAN. Information for 803 people was compromised.
“This was not something where our system was hacked,” Hurlbert said. “This was a request that came in from the outside and was made to appear as if it was coming from the inside requesting information.”
Phishing is a method used by scammers to fool someone into providing personal information by acting like an email is sent from a legitimate organization or known entity.
Hurlbert acknowledged such a request of a payroll employee by the mayor would under normal circumstances be “a little bit out of the ordinary.” She could not say whether there will be consequences for the employee involved, as it is a personnel issue.
The city has a cyber-liability insurance policy and is consulting with the third-party company now to assure the right steps are being taken to remedy the situation, Hurlbert said.
It will also offer credit monitoring and identity theft protection services at no cost to all affected current and former employees for the next three years, she said.
The city has notified the IRS, state taxing authorities and police of the incident, and the IRS has told the city that it will monitor the affected people’s returns to prevent fraudulent tax refunds from being paid out, according to the email.
“We recognize this issue can be frustrating and we are taking steps to help protect you and to safeguard the personal information we receive and maintain going forward,” Parker said in the email.
“We will work with everyone to make this incident as painless as possible,” Parker wrote. “This affected city management, city council as well as all of you so we are all in this together. To help prevent something like this from happening again, we are aggressively analyzing where process changes are needed and will take the appropriate actions.”
San Marcos is the latest entity to fall victim to such an attack. In February, the IRS issued a warning about a phishing scam that had initially targeted the corporate sector but had spread to other areas, including school districts, tribal organizations and nonprofits.
Last month, employees of Belton school district’s business office released W-2 forms for about 1,700 current and former district workers after being targeted by a similar phishing email that appeared to be from the superintendent.
The two employees responsible for the breach resigned, according to the district spokesman.
And last November, the El Paso Times reported that El Paso officials had accidentally sent $3.2 million intended for a city project contractor to fraudulent bank accounts after being duped in a phishing scam.