November 3, 2014
On Monday, November 3, it was discovered that a small number of State System employees at Kutztown University had unauthorized changes made to their direct deposit information through the payroll portion of the Employee Self Service (ESS) system. The changes were made apparently by an individual who was able to obtain login information from the employees though a sophisticated “phishing” attack, in which the employees were asked to provide their ESS username and password. The perpetrator then was able to login to the employees’ accounts and modify their banking information on the ESS system. As a reminder, you should not provide any personal information regarding your ESS account via email, regardless of how legitimate the request might appear.
While there is no indication of a System-wide security breach or exposure of other employee data, if you have direct deposit of your paycheck you are encouraged to check with your bank to verify it received your deposit for the October 31 pay date. We are asking anyone who suspects that their banking information has been compromised to call their HR Office to report the theft. The HR Office will forward these reports to the Office of the Chancellor for investigation.
As a precaution, we have temporarily disabled the ability to change or view direct deposit information through the ESS portal. We will have it back up, with additional security steps, as quickly as possible. In the meantime, you may go to your HR office if you have a need to have any changes made to your information.
Safety Tips
Online scammers are becoming much more sophisticated in their attempts to lure victims, especially using email links to false websites. It is increasingly difficult to tell the difference between legitimate and counterfeit online sites. And, unfortunately, there has been a recent increase in phishing attacks at institutions across the country.
Accordingly, each of us must be vigilant in our actions to prevent cybercrime and follow secure practices online:
1. Never respond to an email requesting personal information.
2. Use a different strong password for each online account.
3. Change passwords more frequently for accounts with access to confidential data.
4. Never share your password with others.