In April, American Type Culture Collection (ATCC) was targeted by a Phishing attack seeking W-2 records. The attempt was successful, leaving employees stressed about their finances and the long-term impact this breach could have on them.
But it's the actions by the company after the incident that's left some employees feeling as if ATCC's leadership stopped caring.
ATCC does business globally. If someone does any type of biological science or scientific research, the odds are good they've interacted with ATCC in some way– including governments, academia, and private industry. Lately, ATCC has been in the news due to their lung cancer research and research related to the Zika Virus.
A source familiar with April's data breach shared internal memos and communications related to the breach's aftermath with Salted Hash.
The reasoning behind the disclosure, according to the source, who asked to remain anonymous, is that unlike other major firms that have had their W-2 records compromised by a targeted Phishing attack, ATCC managed to avoid the limelight.
The source felt compelled to share the documents because "all the clients we serve should be aware [of the data breach] and question how we keep their data safe."
The memos sent internally are outlined below. However, along with the communications, there is another aspect to this story – the human one. While the company was victimized by a criminal seeking W-2 records, so too were the employees.
At least one staffer at ATCC is still waiting on a tax return filed in March, and they had to jump through several hoops with the IRS to confirm their identity. Other employees affected by the breach are said to have had credit taken out under their names.
In addition, perception is a strong motivator when it comes to workplace morale. The way this data breach was handled, the source told Salted Hash, has left some staffers feeling left out in the cold, as they can no longer get questions answered. In short, they feel ignored and forgotten. That's a painful feeling considering it's only been just over a month since the breach occurred.
Salted Hash reached out to ATCC for comment, asking a number of questions related to awareness training, the protection offerings, and the incident itself. There was no response. Should that change, this story will be updated.
April 11 (Monday)
Company sends the first of several notices to employees. The IRS has informed ATCC that W-2 data for all employees has been compromised. In response, ATCC will send the IRS a list of staff SSNs in order to flag the individual as a victim of ID theft. The flag is supposed to prevent fraudulent returns.
ATCC says that to their knowledge "at this time, the unauthorized access of W-2 information by identity thieves occurred though a fraudulent email requesting internal transfer of the information" to Ralph Koch, ATCC's CFO.
The notice says that the federal government is investigating the incident.
April 12 (Tuesday)
A follow-up communication explains that the company was contacted by the IRS the previous Friday (April 8). A weekend investigation, which ended the morning of April 12, determined the root cause of the data breach to be a Phishing email.
"What happened is a fairly common social engineering attack where someone posing as me [Ralph Koch, CFO] asked for W-2 information. Both HR and Finance personnel were targeted in recent weeks. Despite awareness training and reminder emails, we nonetheless failed to detect the attack," the notice explains.
The notice goes on to reference the fact that many employees have been contacted by tax authorities in their state indicating irregularities with their returns. In addition, arrangements are being made in order to provide credit protection services, if they're interested.
April 15 (Friday)
A third notice from the ATCC CFO informs employees of a SharePoint portal hosting a FAQ about the Phishing attack. Staff are also told about a one-year offer for ID theft protection, provided by IDShield.
"We want to assure you that the cause of this issue has been identified and we are taking steps to prevent this type of intrusion from happening again. Specifically, we are looking at ways to strengthen our internal data security protocols and elevate our IT Security Awareness training."
The notice also offers security tips.
It advises employees to challenge and confirm requests for sensitive company data via email, no matter who is making the request. Employees should call or meet with the requestor face-to-face to confirm.
Also, requests for such information should be verified by at least two parties. Moreover, they should engage IT Security before the data is released.
April 22 (Friday)
A forth notice about the incident informs staff that there is a delay in IDShield registrations. It says more than 200 employees attended optional data incident meetings that week.
April 26 (Tuesday)
The IDShield registration page, which was supposed to have been operational the previous Friday, is still not available.
The delay is blamed on glitches in the registration process, and missing customization. There is no confirmed time for resolution.
As a result, employees are offered a $120 payroll credit, which is said to be the equivalent of one year of employee-only ID theft protection.
When asked about the data incident meetings, the source said the general feeling was that the meetings were rushed. They were 15 minutes in length, and included a short Q&A with the CFO. The representative conducting the meeting was actually from Legal Shield and could not answer specific questions about the IDShield product.
"They more or less wanted to shuffle us in and out, and it was – to be honest – not very helpful," the source explained.
Prior to the data breach, ATCC employees received yearly security awareness training, which is an interactive program that takes about thirty minutes to an hour to complete. A portion of the training covers different types of scams that can arise in the workplace, and there is additional training for those who work with government contracts.
Since the breach was disclosed internally, the source said, there have been no changes to the awareness programs, and no new additional training provided. If such changes have been implemented, not everyone is aware of them.
When the ID theft protection glitches prevented enrollment, employees were offered a $120 credit as an alternative, should they chose to purchase their own protection. The problem is, this credit doesn't cover most of the known services on the market, which run $20 per month on average.
"The ID Shield credit service they recommended covers one of three credit bureaus, which I did not feel was adequate," a person familiar with the offer explained.
"Let's face it; the one they wanted us to sign up for is the cheapest option on the market with sub-optimal customer reviews."
Having read previous Salted Hash articles related to BEC scams and W-2 Phishing attacks, the source said they felt ATCC's response was insufficient for a number of reasons.
"There was a lack of transparency, timeliness, and follow through," the source explained.
"The CFO is no longer fielding questions on the matter. He has made comments such as our information will become less valuable in a year and this sort of scam happens all the time which shows a general lack of the severity of the issue. The people who have been affected are still waiting for tax returns, some of which were relying upon for large financial payments, such as mortgages. Some now have the added stress of restoring their credit."
Again, Salted Hash reached out to ATCC for comment, including emails to executives directly. However, there has been no response from the company.
The assumption is that ATCC had a BCDR plan already established prior to the Phishing attack.
If that assumption is true, then the lesson here is that most plans fall apart the moment they're actually needed. Organizations have to try and plan for this, and have alternative provisions to deal with shortfalls and hiccups. Such problems can be resolved by ensuring that BCDR plans are updated regularly, and fully address actual risk scenarios – such as Phishing and Social Engineering.
The notion that employees feel there was a lack of follow though on the incident is a painful reminder that BCDR plans have to include the people that make the organization function.
They're humans, with real human concerns, that don't go away with the passing of time. Yes, the stolen information will become less valuable over time, but that doesn't offset the here and now, and such facts don't make the issue go away.
In this case, clearly there was a breakdown somewhere. Just over a month later, employees feel as if they've been forgotten and the solutions offered didn't really address their concerns.
The truth? Security is hard, but not impossible. Balancing the needs of people as well as the needs of the company can complicate things, but there should always be a path available to help both sides move forward.