[BreachExchange] Columbus Library data breach may have been caused by phishing link

[Destry Winant]

https://www.dispatch.com/news/20200117/columbus-library-data-breach-may-have-been-caused-by-phishing-link

Columbus Metropolitan Library employees whose identities were stolen
may have been victims of a phishing scam that a former library
official fell for in 2018.

The marketing director of the Columbus Metropolitan Library says he
has no idea how the identities of more than 75 librarians and other
staffers were stolen.

But other library employees may have a clue.

Documents obtained anonymously by The Dispatch show that personal
information from the W-2 tax forms of all library employees was
mistakenly emailed in 2018 to somebody posing as library director Pat
Losinski.

According to library records, Shannon Burt, former human resources
director, sent more than 800 records containing W-2 information
without verifying that Losinski had requested it or why he needed it.

Police investigating identity thefts of Columbus Metropolitan Library staffers

The source of the documents called the incident “an absurd request
that should raise a red flag for any HR representative, let alone the
director.”

Gregg Dodd, marketing director, confirmed the validity of the
documents Friday. He said he didn’t reveal the 2018 incident or
possible causes when asked about it repeatedly on Thursday because
investigators aren’t sure the two incidents are connected.

“They’re aware of it,” Dodd said of Columbus police investigators.
“But at this time there is no indication they are related yet. I
couldn’t in good conscience share any speculation.”

He said no customer accounts were affected.

Police opened their investigation this week. Fraud investigations can
take months or years to investigate and often are never solved.

Losinski sent employees a memo on July 16, 2018, explaining that “an
unauthorized third person unlawfully obtained an electronic file
containing certain employees’ personal information” from 2017 Form
W-2s.

The next day, July 17, 2018, Losinski sent a followup notice stating
that all employees’ W-2 data had been breached. Employees were offered
free credit monitoring and advice about how to be vigilant for fraud.
Burt resigned that day.

W-2 tax information includes employee names, Social Security numbers,
home addresses and taxable wage data.

According to a Columbus police report filed this week, at least 75
library employees have had accounts fraudulently opened at Huntington
Bancshares since October.

The bogus checking accounts had been created in the library employees’
names and opened with payday-style loans, also illegally obtained. The
funds deposited in the accounts were then withdrawn as cash by thieves
using Green Dot prepaid debit cards, according to police.

Huntington’s fraud department is investigating.

The library employs about 850 workers at its 23 branches. The victims
appear to be spread out across the system, library officials say.