By: Matthew Grant
CHARLOTTE, NC (FOX 46 WJZY) - The Charlotte Housing Authority tried to keep secret a large data breach impacting 341 past and present employees.
"We notified our employees," said CHA spokesperson Cheron Porter. "This does not impact the public."
CHA officials only confirmed the breach after FOX 46 received a tip and began asking questions.
"Unfortunately, this information was provided before it was discovered that the request was made from a fraudulent account," Meachem wrote in an internal staff letter obtained by FOX 46.
It does not appear the staff who turned over the sensitive tax documents ever questioned or validated the request. The W-2 forms contain Social Security numbers, addresses and private financial information.
"The damage that could be done with that...someone could build a profile from these people really quick," said cyber expert Tom Jelneck. "Their identity could obviously be stolen and sold on the dark web so yeah that's a really big mistake."
Jelneck says this mistake shows a lack of security training.
"When you have those employee Social Security numbers....that should be guarded beyond anything," said Jelneck. "So I think that's not only a common sense issue, that's a corporate security training issue."
CHA officials discovered the breach on Friday Jan. 19. but waited until Monday to inform staff. A former employee says he just found out on Jan. 26.
Several employees coming in and out had "no comment" when asked about the hack.
The incident comes nearly two months after a Mecklenburg County employee clicked on a phishing e-mail, which resulted in hackers freezing servers and demanding a ransom
In light of this latest breach, CHA officials say they will implement new safeguards.
"We are strengthening our internal controls and all employees will now go through cyber training and personal information protection training," said Porter, in a statement, "regardless of their level of contact with or access to sensitive information."
Porter declined to be interviewed.
The IRS, Attorney General's Office, and the FBI's Internet Crime Complaint Center have been notified. Charlotte city officials were unaware until FOX 46 told them.
CHA will provide credit monitoring and identity theft protection to all employees for the next two years, Meachem announced in his letter to staff.
However, since Social Security numbers never change, employees could remain at risk for identity theft indefinitely.
"It's a very dangerous situation," said Jelneck.
e-End Provides A Complete Compliance Solution
By following NSA and NIST 800-88R1 guidelines, e-End can ensure your organization that all data, including ePHI, on the computers, office equipment, medical equipment and other devices we handle cannot be recovered by any means. With our proprietary, compact and portable media destruction equipment, e-End can perform data sanitization services onsite at your office or facility with no disruption.
For more information on how we can keep you in compliance with HIPAA’s Final Security Rule, contact us today.