Cyber Incident Victim: Tidewater Community College
Date:
Mar 2016
Location:
United States of America
Summary
A spear phishing attack compromised Tidewater Community College, resulting in unauthorized access to W-2 tax information for approximately 3,000 current and former employees. An employee inadvertently provided names, Social Security numbers, earnings, withholding, and deduction details for 2015 after responding to a fraudulent email impersonating an internal request. The breach did not expose addresses, dates of birth, banking data, or email addresses. Subsequently, malicious actors fraudulently filed tax returns for at least 16 individuals using the stolen data. The institution initiated cybersecurity training for staff handling sensitive information, launched an investigation, and partnered with a credit monitoring service to assist affected personnel.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 2, 2016, Tidewater Community College (TCC) in Norfolk, Virginia, experienced a data breach when an employee responded to a spear-phishing email disguised as a legitimate internal request. The attacker impersonated a trusted college authority to solicit the W-2 tax forms of all individuals employed by TCC during 2015. This resulted in the exposure of sensitive information for approximately 3,000 current and former employees, including full-time, part-time, adjunct, and student workers. The compromised data encompassed names, Social Security numbers, 2015 earnings, and tax withholding and deduction details. Notably excluded were physical addresses, dates of birth, spouse information, banking details, and email addresses. The breach was detected after fraudulent tax filings were identified, with the Virginia Enterprise-Pilot reporting that 16 victims had false returns submitted in their names by malicious actors exploiting the stolen data. The incident stemmed solely from human error in falling for the phishing scheme, with no evidence of technical system compromises or malware involvement.
TCC initiated multiple response measures following the breach. The college launched an internal investigation to assess the attack’s scope and partnered with a credit monitoring service to assist affected employees in detecting misuse of their information. TCC implemented mandatory cybersecurity training for all personnel handling sensitive data, emphasizing verification protocols for unusual email requests. Administrators advised impacted individuals to file their tax returns immediately to preempt fraudulent submissions using their stolen W-2 details. The college publicly acknowledged that technological safeguards alone could not prevent such socially engineered attacks, urging staff to scrutinize emails lacking official signatures or exhibiting suspicious characteristics—even those appearing to originate from colleagues. No further technical remediation steps were disclosed, as the breach resulted from procedural failure rather than system vulnerabilities.