Crotched Mountain Foundation had an unauthorized release of employee W-2s, which include social security numbers, on Thursday, according to center officials.
“Our computer systems weren’t hacked, a human error led to this,” Director of Marketing and Communications Dave Johnson said about the breach on Friday afternoon.
He declined to comment whether any repercussions would result from the human error that led to the breach of information. Greenfield Sergeant Glenn Roberge said the scam occurred as a result of a phishing email, although the case was handed off to another department due to its scope.
The error affects about 1,000 people who are currently employed or have worked at the foundation within the last year. Johnson said the breach was company wide, including at its Greenfield, Concord, Manchester and various satellite sites. It did not extend to any of its clients or students.
“This was just an employee issue,” Johnson said.
Right now, he said, the center is “burning the midnight oil” in order to resolve the situation as quickly as possible.
“[The breach] happened Thursday afternoon, so we notified employees over email a few hours later and we’re working to get that information to as many people as possible, whether that be over the phone, by email or through the mail.”
Tax-related identity theft is a common scam being reported across the state, according to a 2016 press release from the state attorney general’s office. The office states perpetrators often use Social Security numbers to file a tax return to claim a fraudulent refund. Often the victim is unaware that the theft has occurred until they have filed their return only to discover that a fraudulent return has already been filed and the refund has been sent to the thief.
It says if a person is a victim of tax-related identity theft, they should file a report with local police, file a complaint with the Federal Trade Commission, contact the IRS to complete an Identity Theft Affidavit, and contact one of the three major credit bureaus, which include Equifax, Experian, and TransUnion, to place a “fraud alert” on their credit records.
Johnson said the center is also educating employees about the steps they can take to avoid credit fraud. It sent out a company-wide email to all staff members that maps out a number of steps about how to proceed now that the information has been released.
He said the center will be partnering with its own vendor to offer free credit monitoring for staff for two years in an attempt to stem issues that could result from the breach.
“Your privacy is of the utmost importance. We deeply regret what has happened and especially the inconveniences it will cause you. We have already taken steps to ensure this doesn’t happen again,” the center said in an email sent to the Ledger-Transcript.
In October the Community College System of NH announced it had fallen victim to wire fraud. It said in a press release that it had been contacted by an entity posing as an existing vendor that the organization uses to process regular payments. The vendor’s practice had been to be paid by check, although the communication was a request to transition to electronic funds. It processed the information and paid the vendor $130,000, only to learn that the transaction had been fraudulent.
“Unfortunately, criminal actors are continually evolving their strategies. We see this with phishing scams, IT system hacks, telephone fraud, and other deceptive acts designed to take advantage of cyber transactions,” the college said in a press release. “This is an unfortunate, growing societal issue as the convenience of electronic transactions gives rise to new types of vulnerabilities. Escalation of criminal strategies must be met with increased education and vigilance across all spheres of activity.”
Abby Kessler can be reached at 924-7172, ext. 234 or email@example.com.