PITTSBURG — The City of Pittsburg was hit by a phishing scheme at the end of January, which resulted in the release of employee W-2 information.
The attack, which took place on January 30, released W-2 information for current and former city employees who received a W-2 in 2017. According to the city, the breach did not affect its technical network, and there is no evidence the released information has been misused.
Local law enforcement, he Federal Bureau of Investigation and the Internal Revenue Service were notified within 24 hours of the breach, and the city has offered LifeLock — identity theft protection — services to all affected employees free of charge.
“The safety and well-being of our current and former employees is incredibly important,” City Manager Daron Hall said in a release. “This was not a technical attack against our firewall or network filters, but instead it was a social attack aimed at our employees. While we believe we have significant safeguards in place to reduce the risk of these types of threats, we take full responsibility for this incident occurring and will do better in the future to protect all sensitive data.”
LifeLock provides identity theft monitoring for financial accounts, stolen funds reimbursement and a $1 million service guarantee per account. This 12-month coverage is being provided at no cost to affected individuals.
“I am proud of the way our management team worked quickly to identify the problem, the risk to those affected, and implement a solution within hours of the attack,” Hall said in the release. “We are in the process of analyzing our security measures against potential future incidents.”
According to the IRS, the W-2 scam is just one of several new variations of phishing schemes that focus on the large-scale thefts of sensitive tax information. This email scheme pretends to be from company executives and requests personal information about employees, and uses the cover of tax season and W-2 filings to deceive people into sharing personal data.”
Hall said the scheme spoofed his city email address — meaning an email was sent to a city employee that appeared to be from Hall — and requested information.
“Situations like this are especially upsetting, because the employees are just trying to do their jobs,” Hall said. “The scam email showed up from my email address, even though it was not sent from my email address.”
— Chance Hoener is a staff writer for the Morning Sun. He can be emailed at firstname.lastname@example.org or follow him on Twitter @ReporterChance.