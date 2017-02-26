An email data request that appeared to be an internal inquiry resulted in the employment information of Bloomington School District personnel being transmitted to an unknown person.

The Feb. 10 incident was identified that same day, and the district has taken steps to provide identity protection to employees affected by the incident.

The data included personal and financial information for the district’s 2016 employees, a group of nearly 2,800, ranging from part-time student workers to district administrators and leaders. The information obtained could be used in attempts to file false income tax returns prior to the employees filing their actual return, with the false income tax refunds being directed to a different address or bank account than that of the employee, according to district spokesman Rick Kaufman.

The data request came to the district’s finance department and appeared to be an in-house request, Kaufman noted.

The reply was sent to several district employees and identified as a fraudulent request within 20 minutes, prompting the district’s administration to take several steps to prevent the information from being used fraudulently, Kaufman explained.

The district contacted federal, state and local authorities, including the IRS, FBI, U.S. Dept. of Homeland Security and Minnesota Attorney General’s Office. The district also contracted an identity protection service to work with employees from its 2016 payroll. A notification was sent to affected employees, advising them of the identity protection service being provided by the district and how to access it, Kaufman said.

The district’s computer system was not hacked. The district was simply a victim of a fraudulent email request, commonly referred to as phishing. The information request was transmitted through a document attachment to the email reply, and the district was able to verify that the email response was received by the fraudulent email address attached to the inquiry, Kaufman noted.

The district was not the only district in the nation that had been victimized by the scam on Feb. 10. And like many businesses and email users, the district has been the target of its share of phishing scams, he added.

The district initiated additional security measures, including employee training and email monitoring, to combat phishing scams, and the district spent an estimated $25,000 on identity protection thus far, and has cyber security insurance that should offset costs associated with the incident, according to Kaufman.