A “cyber event” in late February caused the personal tax information of the Alabama State Port Authority’s current and former employees to be unintentionally released to an unknown source, officials have confirmed to Lagniappe.

According to ASPA Vice President of Marketing Judith Adams, the organization was the victim of a spear phishing attack on Feb. 21 that targeted an employee with access to W-2 information for ASPA’s employees and retirees — compromising the information of 780 individuals.

According to the Federal Bureau of Investigation’s [FBI] definition, spear phishing is a kind of cyber attack that uses doctored emails that appear to be from a trusted source in an attempt to obtain otherwise protected or personal information.

The employee targeted at ASPA received an email appearing to be from CEO Jimmy Lyons, though it was in fact sent from an unknown external source. Purporting to be Lyons, the sender requested copies of W-2s for all ASPA employees, and according to Adams, “the employee fell for it, and that information was mistakenly released.”

“This was the action of one employee, not an attack or a hack on our systems in any way, shape or form,” Adams said. ““We have a whole division dedicated to IT and IT security, and I want to stress that none of our data, our servers or any firewalls were compromised in any way.”

The Alabama State Port Authority. [Facebook]

While the amount of data released is significant, the “spear phishing” technique used to obtain it isn’t uncommon at all. In fact, Lyons said ASPA requires employees who use computers to go through cyber security training that covers those techniques and others.

“All of our employees with access to computers are required to take online cyber security training,” Lyons said. “We’ve had a number of similar attacks that have been unsuccessful because of that training.”

Despite undergoing that training, though, Adams said the employee who released the personal data “fell victim” to the criminal scheme and is no longer employed with ASPA. Due to the employee “self-reporting” the mistake, ASPA was able to take immediate action, though.

Port officials have already alerted the FBI and the Internal Revenue Service [IRS] and an investigation is already underway — part of a quick response that Lyons commended his senior management staff for.

“Our team took immediate steps to report this cyber crime to law enforcement, and worked around the clock to quickly compile and distribute important safeguard information to all of our employees,” Lyons said. “They did a remarkable job.”

When ASPA’s employees were notified their data had been compromised, they were urged to take quick steps to protect their credit and personal identity and also encouraged to file their 2016 taxes with the IRS as early as possible.

According to Adams, ASPA has also enrolled all of its employees and retirees in the Equifax ID Patrol program for three years at no cost to them. That program will monitor their credit, alert them to any changes and can offer up to $1 million in coverage for identity theft and other fraud.

So far, Adams said roughly $75,000 has gone into those and other efforts to assist employees, though she said those may only be the “initial costs” of the former employee’s mistake.

“What was done, and what the authority had to do, was immediately swing into action and do everything we could possibly do,” she added. “At least this can provide employees a level of monitoring and observation so that if their information is used for any kind of nefarious purpose, it can be caught very quickly.”

Because the spear phishing attempt did not’ occur until late February, many employees had already filed their 2016 taxes by the time their information had been stolen. However,
Adams did say “a handful” of employees that filed after the leak have already run into problems.

Because the IRS was notified and able to flag any affected Social Security numbers, Adams said those employees will still file their taxes, despite the “hassle” of not being able to do so electronically.

“This was one small action by one individual, and yet it has had a significant impact on this organization and these 780 individuals,” Adams said. “There is a nefarious world out there, in terms of cyber security and cyber threats. It’s very sobering.”