W-2 information at risk for thousands of workers after breach

Published:
Updated:

INDIANAPOLIS (WTHR) - It's happened again.

For the third time in a month, an Indianapolis company has been hacked by a sophisticated scam that tricks Human Resources workers into sending out sensitive documents with personal information via email.

American Senior Communities tells Eyewitness News its entire company of more than 17,000 workers is impacted. Their sensitive W-2 information is now compromised and in the hands of bad guys.

"The W-2 contains Social Security numbers - a lot of sensitive tax information that in the wrong hands can be used very insidiously," said Paul Talaga, Assistant Professor of Computer Science at the University of Indianapolis.

American Senior Communities is the third company to fall for this kind of scam in the past month.

First it was Scotty's Brewhouse, then Monarch Beverage, now, ASC is affected.

The company says in this latest case, off-shore scammers posed as a high-level ASC executive, with an authentic-looking email, and requested copies of employees W-2s. A payroll processor emailed them off: W-2s for the entire company, which amounts to more than 17,000 workers.

This scam has been in the news and the IRS has put out warnings, so how could it happen again?

"It's tax season and a lot of companies are under a lot of pressure to get this info out to their employees as fast as possible so if an email comes across just any employees desk who's handling that information, they want to make sure their CEO is happy," Talaga said, "and unfortunately they're not doing their due diligence in thinking, 'Hey, this language doesn't sound like what my CEO would be saying. Why am I really sending this to the CEO? He shouldn't be asking for this kind of information.'"

This data breach happened in mid-January.

But ASC says it just found out within the past few days, after employees started to file their taxes. Some got rejected because someone else had filed on their behalf.

"If the hackers are filing your taxes as somebody else, then they can redirect your returns to their accounts," Talaga explained.

Identity theft is a real danger now, too, for those employees. That's why ASC is now providing workers with free credit monitoring.

The Indiana Attorney General is also offering help and recommends those workers put an immediate freeze on their credit.

Experts say companies need to pay closer attention, too. Red flags for this scam include a misspelled email address or an unusual request.

Talaga says those are signs you need to talk to someone.

"Actually give them a call. Step away from the computer and go, 'This does not seem correct'," he said. "Talk to officemates. Ask 'Do we typically do this in our company?' Because usually you shouldn't be."

Hoosiers can visit the Attorney General’s Consumer Protection Division for more information. You can also fill out an Identity Theft Complaint Form. Contact them at 1-800-382-5516 to speak to a consumer staff member who can help you in obtaining an Identity Theft Affidavit Form 14039, which can be submitted to the IRS if you are a victim of tax fraud.

American Senior Communities issued the following statement Monday:

"American Senior Communities ("ASC") has discovered that its employees, like those in many other US companies this past year, have been the victims of a sophisticated and targeted phishing attack involving employee 2016 W2 forms issued in January 2017. In mid-January 2017, offshore scammers posing as a high level ASC executive, requested copies via e-mail of employee’s W-2s. The payroll processor responded to the authentic looking e-mail by furnishing the requested information. ASC did not know of the security incident and unauthorized release of information until February 17 as the result of reports from employees that their tax returns were being rejected because someone else had already filed on their behalf.

"Upon learning of these events, ASC promptly notified the Criminal Investigation Division of the IRS, the Indiana Attorney General’s Office, the Indiana Department of Revenue and local law enforcement. The company will continue to work with these authorities to resolve this unfortunate incident.

"ASC began notifying its employees of the data theft on the same day it learned of the event and is setting up a toll free number to answer employees' questions. All current and affected former employees will be provided, at ASC's expense, free credit monitoring and reporting services as well as assistance with tax filing concerns.

"No resident or personal health information was obtained during this attack.

"ASC takes privacy seriously and deeply regrets that the incident occurred and offer our sincerest apologies to everyone affected."