A phishing scam sent via email to the Groton School District prompted sensitive information to be given out, according to the district's superintendent.
On Wednesday, someone pretending to be the superintendent sent an email to the business office requesting information on personnel W-2 forms.
Thinking the email was from the superintendent, the sensitive information was sent by mistake, Superintendent Dr. Michael Graner said. He told NBC Connecticut that he has never made a request like that via email.
As of Thursday night, the district’s business manager, Don Meltabarger, has been placed on paid administrative leave until law enforcement finish their investigation, Graner said, adding the business office is the only department with access to W-2 forms. About seven people work in that office.
In total, the district’s 1,363 employees were affected, including teachers, administrators, substitute teachers, or anyone who received compensation from the Groton Board of Education.
There are protocols to releasing sensitive employee information, Graner said. Part of the investigation is seeing whether those were followed.
Board of Education Chair Kim Shepardson Watson said the board will likely suggest changes after the investigation is completed.
The district immediately notified the Groton Police Department. The IRS is also investigating. Town of Groton Chief of Police L.J. Fusaro said they recently consulted with the FBI.
The Connecticut Attorney General and the Connecticut State Department of Education are also aware of the investigation, according to Graner.
On Thursday the school district alerted employees about the data breach and recommended actions they should take. The superintendent says they've contacted insurance and purchased credit monitoring services for everyone.
An IRS agent was at the school district on Friday to recommend other actions that can be taken.
District employees are hoping the issue gets settled soon and are fearful of who has their personal information.
“That had our social security, it had our mailing address, it had our names, it had our numbers,” said Michael Irace, a substitute teacher for the district. His wife is also a teacher with the district.
He said he froze his credit when he heard about the breach.
“We’re going to try to get our tax returns done very quickly and hopefully nothing goes bad,” Irace said.
As far as disciplinary actions for any employees involved, NBC Connecticut was told the entire incident is still under investigation and that the district will take appropriate action.
Groton Town Manager Mark Oefinger said in February the town’s finance department got an email asking for the W-2’s of all town employees. But an employee realized it was a scam and reported it immediately.
Earlier this year, the Connecticut Department of Revenue Services warned of this exact kind of "phishing" scam. NBC Connecticut spoke to the commissioner then who gave advice on how to avoid becoming a victim.
"It won't hurt. The boss won't be mad. The head of payroll won't be mad if you say, 'I would like to get you that information, but let me just confirm with the person that ordered it,'" said Commissioner Kevin Sullivan.
The Groton Police Department also recommended actions anyone can take to avoid becoming a victim.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about PII, employees or other internal information.
- If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information unless you are certain of a person's authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Don't send sensitive information over the Internet before checking a website's security.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. .
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your email client and web browser.