GCI employees received an email Friday evening telling them their W-2 information had been disclosed to a third party last week through an email phishing attack.
In the email, GCI Executive Vice President Greg Chapados said the company believes the 2015 W-2s of all employees who worked for the Alaska telecom company and its subsidiaries Denali Media, UUI and Unicom at any time during 2015 have been disclosed.
That information includes Social Security numbers, names, addresses, income and tax withholding information. No customer information was affected, and the attack didn't compromise GCI's IT systems or networks, the email said.
David Morris, a company spokesman, said over 2,500 people were affected by the attack.
In February, a third party impersonated GCI's Chief Financial Officer Pete Pounds via email to the company's payroll department. That third party requested employee payroll information and specifically W-2s for everyone who worked at GCI in 2015.
"The employee who received the sham email correctly questioned the request as unusual," Chapados wrote. "The third party impersonating Pete persisted with the request, however, and ultimately the requested information was emailed to the third party on Feb. 24."
GCI became aware of the attack on Thursday, notified the FBI, and is continuing to investigate the attack. It's too early to know who's responsible for the scam, Morris said.
He also said that GCI has already been giving employees training on phishing attacks in particular, but he could not say if the person in the payroll department who disclosed the information had taken that training. That person has not been fired.
"It's important to realize this wasn't a malicious act on this person's part," Morris said. "They certainly seem to require more training on phishing scams, but in general, GCI is not a punitive company."
He also urged consumers to be careful with what they communicate via email.
"Just because the 'from' line might indicate someone you know, you need to make sure it's really coming from that person," he said.
GCI is providing affected employees with two years of credit monitoring, identity theft counseling and other services, and identity theft insurance. The company is urging employees affected by the attack to notify the IRS that their W-2s were compromised.
"The rest of the GCI management team and I take this attack very seriously. ... I apologize for the inconvenience and anxiety this situation may cause you and your family," Chapados said in his email.