An employee of Rockhurst University in Kansas City has filed a lawsuit after a phishing scheme exposed the personal information of more than 1,000 employees.
A Rockhurst University employee is suing the school after private information belonging to herself and another 1,200 of the school's employees was provided to criminals by one of her colleagues who fell prey to CEO fraud-type spear phishing last month.
One April 4th, a criminal impersonating an administrator of the Kansas City liberal arts college sent an email to an employee handling human resources materials asking that the worker send him (or her) W-2 information (which, naturally, included Social Security Numbers and income figures) for the school's employees. The email address provided by the criminal was external to the school, but the targeted employee apparently was not alarmed, and sent the materials.
The lawsuit filed last week in Jackson County Circuit Court by Alexandria Stobbe claims that Rockhurst was reckless because it failed to establish and implement appropriate data protection for employees' personal information - that the school demonstrated "flagrant disregard" for the employees' rights to privacy and put them at "an imminent, immediate and continuing increased risk of identity theft, identity fraud and medical fraud." The filing by Stobbe also asks the court to create a class-action suit on behalf of all impacted Rockhurst employees, and claims that the university's alleged failure to practice what might be termed "Due Care" harmed its workers' peace of mind, and forced them to spend time and money protecting themselves against potential fraud and identity theft.