Kentucky State University Investigates W-2 Data Breach

The breach of personally identifiable information from tax forms comes as payroll officers throughout the country see more phishing emails asking for payroll data.

by Greg Kocher, Lexington Herald-Leader / March 30, 2016

(TNS) — Kentucky State University in Frankfort has informed its employees about a data breach including information from W-2 tax forms.

On Tuesday, the university posted this alert on its website: "This correspondence is to inform you of a data breach that occurred on March 22, 2016, and involved the inadvertent disclosure of personally identifiable information of current and former Kentucky State University ("KSU") employees. The data included KSU W-2s for 2015 and University identification information."

The posting said KSU "has already taken action to limit the effects of this breach and to identify" the responsible culprits. Federal and state authorities have been notified and are investigating this incident, KSU said.

The university said it has notified all three major credit-reporting agencies to inform them of the breach.

Earlier this month, the Internal Revenue Service issued an alert to payroll and human resources professionals to beware of a phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS learned this scheme — part of a surge in phishing emails seen this year — already has claimed several victims as payroll and human resources offices mistakenly email payroll data including W-2 forms that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.

"This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data," said IRS Commissioner John Koskinen in a release. "Now the criminals are focusing their schemes on company payroll departments.

"If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees."

The IRS issued a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community.

KSU recommended some steps for employees to limit the exposure of personally identifiable information.

The university recommended that employees closely monitor all financial accounts and, if they see any unauthorized activity, promptly contact their individual financial institution and/or submit a complaint to the Federal Trade Commission ("FTC"), Suite 1825, 55 West Monroe Street, Chicago, IL 60603, by calling 1-877-ID-THEFT (1-877-438-4338), or going online to

In addition, to learn more about steps to protect against identity theft, employees may contact the Kentucky Attorney General's Office, Office of Consumer Protection, 1024 Capital Center Drive, Frankfort, Kentucky 40601, by calling 1-855-813-6508, or going online to

KSU employee also may want to contact the three U.S. credit reporting agencies (Equifax, Experian and TransUnion) to obtain a free credit report from each by calling 1-877-322-8228 or by logging onto

©2016 the Lexington Herald-Leader (Lexington, Ky.), distributed by Tribune Content Agency, LLC.


Platforms & Programs