An unknown hacker downloaded the personal data of “a small number” of Whatcom County Library System employees in June, WCLS Executive Director Christine Perkins told Cascadia Daily News on Sept. 9.
These employees had their names and birthdates stolen, while “a very small subset of the staff members” also had their Social Security numbers stolen, and “a smaller subset of that group” had their driver’s license numbers taken, Perkins said.
Earlier reports from the library system did not mention library employees, saying only that an unspecified number of library users had their names, birthdates, library card bar codes and PINs stolen.
News that employees were also affected by the June 26 breach came to light when a former employee showed Cascadia Daily News a copy of a letter she received in the mail, dated Sept. 2, informing her of the June “data event” and offering her free credit monitoring.
“We provided this voluntary notification letter to current and past staff members out of an abundance of caution and to address any concerns they may have regarding this ongoing investigation,” Perkins wrote Sept. 8 in an email to Cascadia Daily News.
Most employees who received letters were not affected, as far as library officials know.
“The investigation remains ongoing, and we have not confirmed the scope of this event,” the Sept. 2 letter to employees said.
The letter listed all of the information WCLS keeps on current and former employees, including name, Social Security number, birthdate, government ID card number, direct deposit financial account information, health insurance policy number and health accommodation information.
“The letter does not state and we will not speculate that recipients’ information was viewed or downloaded as a result of this event,” Perkins said in her email.
Even so, the letter’s mention of bank information and Social Security numbers alarmed retired librarian Tina Bixby. The first of several steps she took was to close her bank account, knowing it was still stored on WCLS computers.
“Lots of work,” Bixby said of the precautionary steps, “but I had no choice.”
Perkins said the library keeps personnel records “for at least six years following termination of employment.” Some records must be kept for 75 years. Bixby said she retired five years ago, after 25 years as a librarian in Lynden and Everson, and at WCLS headquarters.
Bixby said she took advantage of the free credit monitoring service WCLS had offered, changed online passwords, blocked access to her Social Security account and removed her payment information from retailers’ websites.
“I was told that only a small number of employee records were taken, and that my data was not in that group,” Bixby said. “Although my risk was very small, there was no guarantee.”
A notice about the WCLS data breach on the state Attorney General’s website said the library system sent notices to about 630 Washington residents about the breach, although it wasn’t clear if this number included the letters to employees dated Sept. 2. WCLS has declined to comment on the number of notices sent.
While the library system is upgrading its security systems and policies, officials declined to go into detail on these improvements.
“To protect the security of WCLS’s information technology environment, WCLS does not disclose its security measures,” Perkins wrote in an email.
The breach at the county library also included the names, birthdates, library card numbers and PINs of 735 users of the Bellingham Public Library, which shares some computer systems with WCLS. Personal data belonging to city library employees was not known to be affected, Bellingham officials said Sept. 8.
If your personal information is hacked
• Companies and institutions must notify individuals if their information was breached. Consider accepting whatever help the company offers, including free credit monitoring.
• Contact your financial institution. Whether it’s your credit card issuer or your bank, discuss next steps such as changing account numbers, disputing or canceling charges and setting up fraud alerts.
• Change and strengthen your passwords on all accounts. Even accounts that weren’t breached might be compromised later, especially if you’ve been using the same passwords.
• Check your free credit reports through AnnualCreditReport.com. Consider freezing your credit files to stop anyone from opening new accounts in your name.
• Keep monitoring your accounts for suspicious activity.
Source: NortonLifeLock
