Groton — The superintendent of Groton Public Schools placed the business manager on administrative leave Friday and began an internal investigation into a security breach in which an imposter sent an email posing as the superintendent and obtained the W-2 forms of all district employees.

Superintendent Michael Graner said he placed Business Manager Don Meltabarger on leave because he supervises the office where the breach occurred. Graner said he has not reached any conclusions yet and school officials are cooperating with the police investigation.

The business office has seven employees, Graner said. He said he does not know how many were involved in sending the email, which released the W-2 forms of 1,363 employees of Groton Public Schools.

Graner said he hadn’t decided yet what disciplinary action he would take or how many employees it would affect.

“That’s what my investigation will determine,” he said.

The business office is the only office in the school department with access to W-2 forms. That access may be restricted further depending on what the investigation finds, Graner said.

The school computer system wasn’t breached in the sense that it wasn’t hacked into from the outside; rather, school employees were the victims of a computer “phishing” scam, in which a scammer tricked employees into turning over tax information.

On Wednesday, the business office received an email from an imposter posing as the superintendent and asking for the W-2 forms of all public schools employees. The office sent the tax forms in response, then realized it had made an error.

Groton Town Police and the IRS are investigating.

“After this review we definitely will implement additional policies and training and may look at further restricting” access to personal information, Graner said. “This is going to cause us to take an all-encompassing look at our data security ... obviously there was a major flaw in that this could occur.”

Police received a complaint from the school department Thursday and sent patrol officers and detectives to investigate, Deputy Chief of Police Paul Gately said. The IRS is working with the department on the investigation, which is in its early stages, he said. "We are not unique, meaning the Town of Groton. It appears that this is a scam that's been ongoing for some time — at least a month."

The IRS issued a scam alert on Feb. 2, he said.

Groton Town Manager Mark Oefinger said he spoke to the town finance and human resources directors on Thursday after he learned of what occurred. "We had gotten a similar request a while ago and we knew it was a fake request, but this can happen anywhere," he said.

On Feb. 8, the town Finance Department received an email asking for the W-2 forms of all town employees, supposedly signed by Oefinger. Cindy Landry, the finance director, realized the email was a scam and reported it to police, Oefinger said.

The town and school department are effectively one entity if a victim of the school department breach sues, but Oefinger said he doesn't anticipate issues with legal liability.

"It was not done intentionally or with malice. All these 1,300 folks, they're all victims," he said.

The district on Thursday arranged for the purchase of a credit monitoring plan to protect employees. That plan would last initially for one year, then be reviewed, Graner said. The cost was not immediately available. Graner said it would depend on the number of employees who register for the program and how many times it is activated by a scammer trying to use someone's information. Most of the cost will be covered by insurance, he said.

The vast majority of cyber breaches start with "phishing expeditions" that dupe employees into sharing personal information and data, said Frank Cilluffo, director of the Center for Cyber and Homeland Security at George Washington University.

"This underscores that in addition to having a well-heeled cyber security team armed with the latest technology, one must also invest in training and educating the entire workforce," Cilluffo wrote in an email.

Criminals who get the data can exploit it immediately or, when it deals with identity theft, use it over a lengthier period of time, he wrote.  A criminal may use it in many ways, including opening new lines of credit, filing life insurance claims or even opening and closing businesses, he said.

If information is stolen, people can take immediate steps to protect themselves by buying credit monitoring services, changing all passwords and requiring a two-step authentication with all online accounts, he wrote.

"...Educating the entire workforce to the many risks posed by phishing and other related activities ought to be a prerequisite and offered on a regular basis (part of the on-boarding process for new employees and beyond)," he wrote.

Employees were scheduled to be briefed at 3 p.m. and 4 p.m. on Friday by an IRS agent regarding how to safeguard their financial records. The meetings were closed to the media due to personal data and information being discussed.

“We’re sick over it,” School Board Member Jay Weitlauf said before the meeting Friday, referring to the breach. But he and Board Member Katrina Fitzgerald said they also had confidence in Graner to handle the situation. Several employees said they’d had their personal information taken before in connection with data breaches elsewhere.

Beth Horler, president of the Groton Education Association, which represents about 435 teachers in the public schools, said she was pleased with “the rapid response” of the school district and its prompt notification of employees.

“We’re pleased that the district is putting the employees first and securing their information and providing monitoring of their information,” she said. Horler, a teacher at S.B. Butler Elementary School, said she’d had personal information accessed before, through a breach at the Department of Defense.

“I think more and more people are getting used to this happening,” said Larry Croxton, vice president of the association and a teacher at Robert E. Fitch High School.

Graner said the school department would also notify the approximately 30 employees who worked for the district in 2016 but retired or left. Protection will be extended to them as well, he said.

Graner also contacted the school department’s insurance company and its attorney in the event of a lawsuit.

 d.straszheim@theday.com