A single deceptive email triggered a citywide data breach in Nitro, exposing employee tax information and prompting a multi-agency investigation called “Project Papa.â€
In July, the Gazette-Mail reported that the City of Nitro had fallen victim to a data breach. Newly obtained records through the Freedom of Information Act requests now provide a clearer picture of how the incident unfolded, the city’s response and the impact on affected employees.
City records show the incident began when a city accounting employee received an email on Jan. 21 that appeared to come from "Dave Casebolt" — similar to Mayor David Casebolt's name, but it was from a Gmail address instead of the city's standard email addresses that end in cityofnitro.org.
The message read: “I hope you have not become too involved. Kindly copy me copies of 2024 W2 (PDF) of all staff for a quick review.â€
The employee complied, sending a PDF labeled “W-2 forms 2024†containing employees’ names, addresses, Social Security numbers and tax withholding data — information that can be used to file fraudulent tax returns.Â
According to city records, the employee realized the mistake about four hours later and requested that the city’s IT provider, Netranom, block the fraudulent address.Â
According to City Planner Kim Reed, W-2 information for 147 employees was compromised. The city employs an average of 120 part-time and full-time workers annually, including seasonal lifeguards for the pool, the fire department and police department.
'Project Papa'
City officials said in an email that, "After a group of employees reported challenges with their IRS return, it was then determined that an investigation was needed to look deeper into the matter and an email was sent to City of Nitro department heads to alert everyone that a hacking occurred and was being dealt with as a top priority."
That email was sent by Deputy Treasurer Natalie Wright on Feb. 18.
City officials said Netranom was alerted Feb. 19, and the cyber insurance claim was filed. Records also show the employee who compromised the W-2 information attempted to correspond with the spoofed email again that same day, asking "Dave Casebolt" whether additional forms were needed for another task. City officials indicated this was done in coordination with the Nitro Police Department and the IRS to make contact with the scammer in hopes of identifying their location or tracking their computer's IP address.Â
The internal investigation and clean-up efforts following the incident were dubbed “Project Papa" by employees. It began on Feb. 28 with the appointment of an attorney from the Virginia-based Woods Rogers law firm, which was appointed by WVcorp, the City of Nitro's insurer, to assist with the cyber incident. The law firm and the City met for the first time on March 3.
Email records confirm a phone call with Reed, Wright, and City Recorder Rich Hively to discuss the next steps. This was also when a third-party cybersecurity firm, Surefire Cyber, was brought on by the law firm to investigate.
Project Papa lasted a little over a month.
At the time of the incident, Nitro’s IT services were managed by Netranom; the city switched to SecureNet in July.Â
The city's attorney also said any expenses related to the breach were covered by insurance.Â
How were employees affected?
On March 10, during Project Papa, Fire Chief Casey Mathes sent an email that reads, "I have been asked numerous times what the city is doing to [assure city staff] after the breach how things are being handled and protected. Is there any protection the city is going to supply for everyone that was compromised?"
Wright replied that she was still waiting for official confirmation but indicated employees may receive between 1-3 years of coverage from a program like Lifelock, an identity theft protection service.
On April 10, Mathes followed up again asking for guidance. That same day, Wright replied that employees should receive a letter with an explanation as well as instructions on how to access identity theft protection, noting there was "nothing else on [their] part" to do.
City officials confirmed those letters were sent on April 8.
In July, the Gazette-Mail interviewed Tiffany Brogan, who lamented that — because of her husband's delayed tax return caused by the data breach — she couldn't take a Myrtle Beach honeymoon she and her husband had postponed since their wedding in August 2024. They were told by the IRS that her husband, a Nitro city employee, had already been sent a return.
It turned out to be a fraudulent return submitted to the IRS by someone else using Brogan's husband's compromised W-2 information, Brogan said.
They have worked to get their tax return, but Brogan said the IRS told them it could take as long as 580 days for the IRS to investigate it.
Officials said employees were notified and offered 12 months of complimentary identity and credit monitoring, fraud consultation and identity restoration services.
As of Sept. 11, she said there was still "no letter [from the city], no help, and still no tax return. It really sucks," Brogan said. "I've called [the] IRS, but you can't ever get a person. I feel helpless. I don't understand what's happening with it and [there's] no one to ask for help."
Brogan alleges her husband tried to speak to someone about the incident at City Hall at least three times, but he has not yet received assistance.
Casebolt, the mayor, said his data was also compromised in the leak but emphasized Nitro officials are doing what they can to assist employees.
“Unfortunately, the city was the victim of a phishing scam that affected numerous employees’ IRS tax filing records," he said. "I believe, after determining the extent of the matter, we were able to provide information and assist any employee needing guidance moving forward.â€
Johnnie Brown, the city's attorney, also said Wright assisted employees with IRS affidavits and letters following the incident. He said the city’s role was limited because the IRS requires each taxpayer to act individually.
Responsibility and security practices
In November 2024, Netranom shared an update with Nitro officials on the managed IT services the company would provide as part of its contract. They had been the city's IT provider since 2021, according to Reed. In this list was a recommendation for phishing security measures and cybersecurity awareness training. At the time of the incident, the City of Nitro did not require cybersecurity training for employees, though the city's attorney said they encouraged employees to attend free cybersecurity webinars offered by its insurance provider.
The city said it does not routinely share sensitive employee information via email or other platforms, though employees are not forbidden from using personal email accounts for city business at their discretion.
According to Brown, the accounting employee who sent the compromised email initially reported the misdirected W-2 email to IT, believing the matter was being handled.
Surefire Cyber reported in March that there had been questionable activity — "email rules" that automatically forward emails — for another city account, but ultimately determined the employee who compromised the W-2 information had not been hacked. Instead, the cybersecurity firm confirmed the employee fell prey to a "spoof" email — which is when a forged sender address is used to make a message appear as though it comes from a trusted source.
In the Gazette-Mail's FOIA request, the Nitro officials were asked to produce copies of reports, investigations or summaries related to the incident, as well as emails and other correspondence between city employees regarding the data breach. There was no evidence sent from the City of Nitro suggesting the accounting employee notified city leadership or any other employee about the data breach. There was also no evidence that an incident report of any kind was filed.
Instead, city officials say they did not determine that an email scam occurred until the investigation began on Feb. 19. That is also when the city filed an insurance claim for the incident.
"The city promptly determined an action plan," said Joe Stevens, executive director of the Nitro Convention & Visitor's Bureau.
FOIA records don’t show if the accounting employee who compromised the city's W-2 information told anyone else about the Jan. 21 incident.
When asked if any employees received disciplinary action as a result of the data incident, officials responded that the City does not comment on internal employment issues.
Is this a common problem?Â
According to data from the Pew Research Center, 73% of U.S. adults have experienced some kind of online scam or attack, and these are common across age groups. Most get scam calls, texts and emails at least weekly.
Statista reported that, in 2024, the most common type of cybercrime reported to the U.S. Internet Crime Complaint Center was phishing, with its variation, spoofing, affecting approximately 193,000 people.
CLICK HERE to follow the ÂÒÂ×ÄÚÉä Gazette-Mail and receive
