ENUMCLAW, Wash. — The city of Enumclaw accidentally sent an email to an "individual pretending to be a member of City administration" and compromised the W-2s of hundreds of employees, records say.
KIRO 7 obtained a copy of the email sent to city employees on February 7:
Scroll down to continue reading
More news from KIRO 7
- Treehouse filled with child porn found near North Bend
- No evidence of shooter at Highline College after reports of gunfire caused massive response
- Sources: Man who accused former Seattle mayor of sexual abuse has died
- 18 school shootings in 2018? That statistic is misleading
- Fireworks could be to blame at Highline College panic
"We recently discovered that our City was the victim of an email spoofing attack by an individual pretending to be a member of City administration. On Monday, February 5, 2018, a request was made from what appeared to be a legitimate City of Enumclaw email address for 2017 City of Enumclaw employee W02 information. Unfortunately, copies of 2017 employee W-2 forms were provided before we discovered that the request was made from a fraudulent account. We discovered the fraudulent nature of the request on February 6th, 2018 and have been working diligently to investigate and to mitigate the impact of this event."
Michael Rainey with the Washington State Council of County and City Employees represents about 50 members of the city of Enumclaw and said members were "very concerned" and "confused" by the mishap.
Amy King, a tax agent with King Tax Service LLP in Enumclaw, says email phishing schemes are prevalent these days.
"Companies are supposed to let their employees know if anything has been compromised, like a W-2, as soon as they possibly can," she said.
According to records, the emails were accidentally emailed to the false account on Feb. 5. City officials learned what happened the next day. However, employees weren't notified until 7:53 p.m. on Feb 7, which likely means some people did not see the email until the following day.
King is now filing taxes for several city employees who learned their personal information had been out in the open for at least two days.
"They feel a little betrayed because they trusted their information with a company and it was sent somewhere else and they don't know who all has it, where it is or what country it's in," King said.
KIRO 7 tried reaching out to every department in the city but were told no one was allowed to talk about what happened. An East Coast attorney now representing the city did not return our calls.
A citywide identity theft report was filed with the Enumclaw Police Department but the police report suggests it will be difficult to track the suspect down.
King urges employees affected by the "spoofing attack" to file taxes as soon as possible in order to minimize the risk of identity theft.
"If that gets out there people are willing to sell it to the bad guys multiple times," she says, "so the first person who files that tax return with that number pretty much wins."
The city has offered to pay for fraud protection but King says, if employees are scammed that may not be enough.
Cox Media Group