Campus Community Reacts to W-2 Leak, College Takes Steps to Avoid Repeat Incident

BY STEVEN TUTHILL
GUEST CONTRIBUTOR

At his latest town hall meeting, on Tuesday, April 4, Westminster President Dr. Benjamin Akande addressed the recent security breach the college faced. All Westminster employees, including student workers, recently had their W-2 forms compromised through a human error.


This form includes personal financial information, such as employees’ social security numbers and the amount of money they earned in the previous year.

Akande said that the leak is “a personnel issue that will be resolved.” He added, “Our [security] systems worked; this was a case of human error.”

“Our [security] systems worked; this was a case of human error.” –Westminster President Benjamin Akande

The leak occurred on Jan. 31, but no one at the college discovered the issue until March 26.

“We received feedback from a few staff members in March that they’d filed their tax return, but the IRS notified them that they had already been filed,” said Vice President and Chief Communications Officer Lana Poole.

From there, the college was able to determine when and how the breach had occurred.

The leak occurred on Jan. 31 but was discovered nearly two months later.

The human error in question was that a Westminster employee received an email from someone claiming to work for the school requesting a PDF of all campus employees’ W-2 forms. The email had a tag on it, labeling it as external message, meaning that it did not originate from Westminster College servers. The employee in question overlooked this tag, and sent all of the W-2 forms to this unverified source.

Becca Cameron, ‘17, one of the many campus employees affected by the breach said: “I was told that it was human error and that someone received an email asking for everybody’s W-2. They apparently thought it was a reasonable request, and sent that information.”

Manoj Ghimire, ‘18, a student employee in the IT department suggested that anyone at the college who had the authority to request the W-2 forms would most likely have had the ability to access those items themselves, without depending on another employee to send them.

“If they needed the documents, they should already have access to them,” Ghimire said.

When asked about the human error, Poole said: “The college is dealing with it. It’s a personnel issue, and the college is dealing with it accordingly.”

“It’s a personnel issue, and the college is dealing with it accordingly.” -Lana Poole, vice president and chief communications officer

Poole gave no comment as to how, exactly, the issue was being dealt with, as well as to whether or not the employee in question had been let go.

However, she did discuss ways that students can protect themselves from identity theft in the future.

“Anyone who was employed by the college in 2016 will receive a one-year subscription to LifeLock,” Poole said. LifeLock is a subscription service designed to notify you when it is possible that your identity may be at risk. Westminster College is providing the top service LifeLock offers, which normally costs $29.99 a month. “If you were not employed in 2016, then you will not receive LifeLock, because your W-2 wasn’t compromised.”

Westminster students and employees can also secure themselves in other ways. In fact, Westminster will be offering informational sessions about identity theft, according to Poole.

“We’ll have a session coming up in the weeks ahead,” Poole said. “We’ll be talking about security and identity theft. I think that they become a part of a bigger conversation, and we’ll keep talking about those things.”

Everyone employed by Westminster in 2016 will receive a one-year subscription to LifeLock, and the college will hold an information session about security and identity theft, according to Poole.

Ghimire said that students and employees should be wary of their email’s sources and that they should check their transactions.

“You have to be careful,” he said. “Every time it’s an external [email], you have to make sure it’s not phishing.”

Join the conversation

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s