(Updated at 3:20 p.m.) More than two dozen Arlington Public Schools employees have had their social security numbers and tax information compromised in a data breach, according to a memo sent to APS employees Monday.
The breach exposed the W-2 tax forms of 28 APS employees, the school system said. APS issues around 7,000 W-2 forms to employees annually, according to Assistant Superintendent Linda Erdos.
The breach occurred on a third-party server and there is no evidence that APS’ own systems were compromised, the memo says. However, APS has notified the FBI about the incident.
More than 40 companies reported attacks that compromised employee W-2 data during the first quarter of this year, according to news reports.
The memo to employees is below.
Recently, the staff in our Information Services Department was notified that files of W-2 tax forms for 28 APS employees were discovered to have been stored by an unknown party on an out-of-state organization’s server that had been hacked.
After reviewing the circumstances and the contents of the 28 files, at this time we believe that the W-2s were generated individually through the “employee self-service” feature of our STARS ERP system. We have not found any indication or evidence at this time to indicate that this represents a breach of APS the data systems. Currently, we believe that this is a limited incident.
Human Resources staff has contacted the 28 staff members directly to inform them of this discovery, and to provide them with some guidance to help them address the situation.
We have heard recent news reports that this has happened to other individuals in our region and throughout the country, particularly right now as we are at the conclusion of the federal tax filing period. Therefore, APS is taking several steps that are in line with our standard data practices. They will also assist us with our continued investigations, and will help to ensure that our data continues to be protected.
- First, we have contacted the FBI and notified them about this incident.
- We have also contacted the AT&T Cybersecurity Unit and they are performing a complete threat assessment for all of our APS systems.
- Finally, while we will continue to collaborate with the FBI and all parties who are investigating this incident, we have also hired Dr. Naren Kodali, who is an information security expert, to consult on our APS data security systems. Dr. Kodali is a highly-qualified and well-known professional in the field of cyber-security as well and is a professor of Information Security at George Mason University, and has also served as the Dean of Computer Information Systems at other universities.
In addition, as a precaution, we are providing all APS staff with recommendations of best practices that everyone should take to safeguard your personal information online, both at work and at home. Those tips have been posted online in the Staff Central section of the APS website.