“Last Friday morning, I was driving to Pennsylvania, when I got a call from the President that Catherine Bonnes, Director of Finance, was alerted to the fact that there was an issue with the W2’s,” said Jim Prince, Vice President for Business and Finance at Kalamazoo College.
Prince confirmed that the College inadvertently e-mailed out W2 forms for the 2015 tax year through a phishing scam that affected 1,634 individuals from the faculty, staff, and student community.
Communication was a priority for the crisis team that convened Friday, April 29. “What was critical for us was to get out the word as soon as possible to those who were impacted by this to let them know that we’re working on a plan,” Prince said.
In an initial e-mail to the campus, the College urged and reminded individuals to sign up for one of three credit bureaus (TransUnion, Experian, or Equifax) to begin a free 90-day fraud alert.
The College is now contracted with AllClear ID which includes several identity services that will be free of charge to those who wish to enroll for two-years. The details and instructions concerning AllClear ID will be mailed out to individuals’ permanent addresses within the week.
“It is a service that the college feels is important, that we owe to the individuals that are impacted by this,” Prince explained, “to make sure that everything can be done to protect everybody because we made an error, and we know we did.”
Even with efforts to fix the problem, students wonder how long this problem will follow them. Kaitlyn Courtenay K’17, a student bookstore worker, realizes that this scam may result in something she needs to always be on the look out for.
“I appreciate the updates, but I feel that my confidentiality was breeched because of this, and I may have lost a little trust in the process, too,” Courtenay said.
Another complicating factor is alerting international students who worked for the College in 2015, but are now back overseas. It will be more difficult for them to set up a fraud alert on their accounts.
“The key is to get that information in their hands as soon as possible, we are working with the CIP to make sure we can coordinate who is where and so forth, but it’s not quite as easy,” Prince said.
According to Prince, K is looking internally at how to go about protecting data.
“[The e-mail] looked very official,” Prince said, “it looked like it came from a staff member who had the authority to ask for that information and consequently we made a mistake, and so now the key is to make sure that we don’t make mistakes like this again going forward.”