TWIN FALLS — The College of Southern Idaho has reported a significant phishing scam after an employee inadvertently released W-2 tax information.
An individual — who was impersonating a college employee — sent an email Thursday to a CSI employee requesting W-2 forms.
An employee released information later that day for all college employees for 2015 and 2016.
There’s no evidence of hacking into CSI’s computer system, college spokesman Doug Maughan said Tuesday. “Our IT department is confident that hasn’t occurred.”
“The only thing we’re dealing with here is a phishing scam,” he added, but called the incident “significant.”
The college learned Monday the email was fraudulent and started an investigation. College officials aren’t aware of any fraud or misuse of employee information.
A letter from CSI President Jeff Fox was slated to be mailed to college employees Tuesday.
“The College of Southern Idaho recently experienced a security incident involving the personal information of its current and former employees,” Fox wrote in a draft document.
“We are providing this notice as a precaution to inform those who are affected and to call your attention to steps you can take to help protect yourselves. We sincerely regret any concern this may cause you.”
CSI reported the incident to the Twin Falls Police Department and a Federal Bureau of Investigation agent who deals with cybersecurity.
It’s also working through its insurance provider, Idaho Counties Risk Management Program, to offer employees free one-year identity protection services through a company called EPIC.
The W2 form is a tax document an employer prepares, showing how much is withheld from an employee’s pay for taxes.
The information handed over in the phishing scam included employee names, home addresses, Social Security numbers, pay information and how much tax money was withheld.
CSI is holding a town hall meeting at 4 p.m. Wednesday for all CSI employees. It will be broadcast to the college’s off-campus centers.
College officials will share information, answer questions and help employees sign up for the identity theft protection service.
The college also plans to provide additional training for employees on “how to handle any requests for sensitive information and how to potentially recognize a phishing scheme,” Fox wrote in the letter.
CSI is also recommending employees file a Form 14039 — an identity theft affidavit — with the Internal Revenue Service.
That can help ensure an employee’s information isn’t used to file a fraudulent tax return.
“The College of Southern Idaho takes the privacy and protection of personal information very seriously, and deeply regrets that this incident occurred,” Fox wrote in the letter.
“We took steps to address this incident promptly after it was discovered, including working to investigate and remediate the situation.”
Be the first to know
Get local news delivered to your inbox!