Roughly 1,000 employees of a Texas border school district learned their Social Security numbers were compromised in a data security breach caused by a questionable email.
Mercedes Independent School District Superintendent Dr. Daniel Treviño, Jr., announced Friday they accidentally released Internal Revenue Service (IRS) W-2 forms containing personal information for around 950 employees in response to an email with an “unknown email address.”
It appears all Mercedes ISD employee W-2 forms were shared in the “oversight” that occurred when the small school district’s payroll office responded to and submitted the file to the unauthorized email address, said Treviño, according to the Valley Morning Star.
He told KRGV the district received an email requesting W-2 forms of school district employees from the 2015-16 school year but it was not until after these IRS forms were sent back that Mercedes ISD staffers realized they were hacked by an unauthorized account. Besides Social Security numbers, personal data like birth dates included on these forms were unintentionally released.
The Rio Grande Valley school district intends to invest in software “designed to safeguard employees’ confidential information.” They also plan to provide a lock monitoring system for every district staffer. Treviño told KRGV: “If the information is being misused, the employee will be notified immediately.”
Mercedes ISD employees first learned of the breach in a January 26 letter from Treviño. It stated “sensitive personal information” on their IRS W-2 forms was “reasonably believed to have been compromised as a result of a fraudulent information request.”
The school district launched an internal investigation with their legal department and continues to cooperate with the local and federal authorities such as the Mercedes Police Department, the U.S. Attorney’s Office, and the IRS. Mercedes Police Chief Olga Maldonado told KRGV: “We have contacted a federal agency to see if they can help us with the servers and stuff because they are one of the best agencies that can help you with that.”
Maldonado indicated local law enforcement is relying on the feds to guide them through the investigation process and help them with their technology. She urged everyone to exercise caution before opening a suspicious looking email to avoid this kind of situation in the future.
Other Texas school districts experienced breaches that worried parents. In December, 23,000 staffers plus former and current students in San Antonio’s largest school district learned about a similar email hack which may have put a lot of their personal information at risk. Breitbart Texas reported potentially jeopardized were names, addresses, and Social Security numbers at Northside ISD. To date, their cyber-scare appears over and no suspicious evidence surfaced to suggest any of the breached data was used for any illegal activities.
In October, Houston area Katy ISD alerted parents of a possible data breach involving 2013-14 school year student information such as names, dates of birth, Social Security and state ID numbers, email addresses, and zip codes. Their third party data management company, SunGard K-12, said possible data exposure occurred during a software installation where this information was shared with other school districts and without Katy ISD’s knowledge or authorization, KHOU reported. SunGard K-12 caught the error and removed the installation package but they also offered impacted students a year of LifeLock services as a precautionary measure. The company believed it was unlikely database information was inappropriately accessed by any unauthorized individuals.
In April, cyber-criminals hacked into San Antonio’s North East ISD multiple times with ransomware, a type of malware or virus that holds computer data hostage. This affected online records of 20 district campuses, Breitbart Texas reported. District officials said no cloud-stored data was compromised.
Follow Merrill Hope, a member of the original Breitbart Texas team, on Twitter.