On Feb. 10 an unknown and unauthorized individual illegally acquired the personal and financial information of our employees that is contained on the Federal W-2 Tax Form through a phishing attempt, including name, address, social security number, earnings, and school tax ID information. No bank account information was obtained. As required by law, the appropriate government agencies have been notified.
We believe this information may have been obtained with the intent to file fraudulent tax returns. Please note that the district has insurance that provides coverage for certain related expenses. We have also contracted with IdentifyForce to provide one (1) year of personal security protection for all employees. A letter was sent out on Monday, Feb. 13 to all individuals affected. The letter explains the services offered and how to sign up.
If your address has changed since you received a 2016 W2, you should update your information in the Hub. Call HR with any questions.
In the interim, employees should take any precautions they deem appropriate to protect personal and financial interests.
We apologize for this inconvenience and are taking further steps to protect district data and information. Please see our FAQs and informational presentation for more information, as well as additional resources listed below.
Update October 2017: The District will be extending the Identify Force coverage for an additional three years. More information will be available on this process in February 2018. All employees who were affected by the data breach and leave district employment should be sure to maintain a current mailing address with Bloomington Public Schools. Information will be mailed to employees home address on how to continue the coverage.
Frequently Asked Questions
Was this an Internal or external breach?
To our knowledge, it was an external phishing scam. Another school district in Virginia was similarly compromised this week. As stated, the purpose may have been to use W-2 information to file fraudulent tax returns.
Is it related to Skyward?
No. District systems were not hacked into.
Who was affected?
Everyone who received a W-2 for the 2016 tax year.
What information was compromised?
Information that is included on the Federal W-2 form: name, address, social security number, wages, etc.
Was my bank account information compromised?
No - only information that is reported on the Federal W-2 form.
Do I need to contact all three credit reporting agencies?
No - contacting one and putting a fraud alert on your account is sufficient. Click here
to do so electronically, as their phone system is a bit cumbersome to use and they will likely try to sell you services that we will are already providing free of charge. If you would rather call, their phone numbers are as follows:
If I try to e-file my tax returns, and am unable to do so due to a return already filed, who should I contact?Call IdentityForce membership services (877-694-3367). A specialist will assist in navigating next steps, working with the IRS, etc.
If I receive a letter from the IRS regarding my tax information, should I respond?
You may receive a Letter 4883C from the IRS asking you to verify your identity within 30 days if a suspicious return is filed. Please follow their directions if that occurs.
Who is eligible to receive IdentityForce's services free for one year?
All individuals who received a 2016 W-2, including individuals who no longer work for the district. Please note, as of 1/24/2018:
This service has been extended an additional three years at no cost to those effected.
A letter was mailed on Monday, Feb. 13, which includes more information about the services offered and how to sign up. If you do not receive your letter within 3-4 days, please call 952-681-6403 for assistance.
If I utilize IdentityForce's free 14 day trial and see alerts related to my birthdate being available on certain sites, is that related to the data breach that occurred with BPS?
No. Birth dates are not included on the W-2 - only a person's name, address, SS#, earnings, and the school district's business address and Federal/State ID number.
What should I do regarding the 14-day trail after I receive my new sign-up information from the district?
Those who signed up for the 14-day trial should contact IdentityForce and cancel that coverage BEFORE
signing up using the Personal Verification Code included in the letter mailed this week. The 14-day trial was intended as gap coverage.
Did the District notify banks, PERA, TRA, financial institutions?
No. By law, the District notified the Internal Revenue Service, the Federal Bureau of Investigation, the U.S. Homeland Security’s Computer Emergency Readiness Center, the MN Department of Revenue, and Bloomington Police. Each individual must decide the appropriate steps to take to protect their identity.
I am a current employee who received a 2016 W2 and have been a victim of fraud. Who should I report this to?
Please contact Traveler's Insurance Directly at 1-800-842-8496, or at email@example.com
. Our policy number is 105687737. Also, report to the Bloomington Police Department.
I am a past employee who received a 2016 W2 and have been a victim of fraud. Who should I report this to?
If you have registered for IdentityForce, please contact them directly to file a claim. Their number is 1-877-694-3367. Also, report to the Bloomington Police Department.
What resources are available to me if I am having anxiety or financial concerns due to this breach?
Please select the Employee Assistance Program
link on the left for more information on how to use this free service to help deal with anxieties that may be caused by this. Additionally, information was mailed out Monday Jan. 13 regarding other sources of assistance.
Should I answer emails or calls from individuals or agencies asking for additional information regarding my personal data?
No. A common secondary phishing scam is to contact individuals for additional personal information. The IRS will never call or email asking for information; all their requests come in writing.
Minors and parents of minor employees:Call the IdentityForce specialist (listed under the enrollment steps in the letter) for assistance in enrolling in IdentityForce.
I want to place a freeze on my credit, and it states I’m required to file a police report.The police report copy to be provided in relation to a credit freeze is a police report that you would file to report an actual or suspected instance of identity theft or fraud. The fact that your information could have been accessed without authorization does not necessarily mean that you are the victim of identity theft. For further assistance, contact the IdentityForce specialist at 1-877-MYIDFORCE (877-694-3367), Monday-Friday, between 7:30 a.m. and 4:30 p.m.
I am hearing conflicting information on whether I need to or should file an IRS Form 14039, Identity Theft Affidavit.
Please review the IRS recommendation
I am enrolling in the IdentityForce services, but it is requesting additional personal information. How should I respond?With your membership, IdentityForce will monitor the internet for potential misuse of your personal information. You are not required to provide your debit card and bank account information to IdentityForce, but you have the option to provide that and other types of information, so they can monitor them if you would like them to do so. IdentityForce Membership Services personnel can explain this; call 1-877-MYIDFORCE (877-694-3367), Monday-Friday between 7:30 a.m. and 4:30 p.m.
What is the district doing to prevent a data breach from happening again?Additional protocols and staff training are in place.
Can I remove my personal information from the district webpages? We ensure that any staff information posted on the district and school websites is categorized as public personnel data per School Board Policy 406. This may include staff member names, job titles, job descriptions, education and training background, previous work experience, work-related continuing education, work locations, work phone numbers, honors and awards, or other items listed in the policy under IV. PUBLIC PERSONNEL DATA.
Regarding photos: Staff members are welcome to post or remove their photo from their Hub profile as they see fit. Other photos of staff members may be used on the website and in other publications (for news of awards/honors, etc.) unless we receive a specific request from a staff member not to use their photo.
What should I do if someone tried to open a credit application or loan with my information?
Call IdentityForce membership services (877-694-3367) and a specialist will be assigned to handle your case. This only applies if you are enrolled in IdentityForce.
What should I do if someone made fraudulent charges on my credit card?
Call your credit card company.
Can I request District Approved Leave to get my taxes filed?
The District is generally not approving DAL for tax preparation, etc.
Is IdentityForce Advanced Fraud Monitoring the same as Credit Monitoring?
IdentityForce Advanced Fraud Monitoring triggers a message to any lender/creditor seeking your credit report. It is a red flag to a lender/creditor. However, it does not prevent a lender/creditor who chooses to ignore the alert, or approve credit without pulling a credit report. Credit monitoring can include additional cross-checks with public records, criminal records and address change databases.