American data storage company Seagate is disputing a lawsuit filed by some of its employees whose personally identifiable information was accidentally exposed in a phishing attack.
On 1 March, 2016, an employee in the HR department at Seagate received a spoof email from someone purporting themselves to be the company's CEO. Unfortunately, as reported by infosec investigative journalist Brian Krebs, that employee thought the email was legitimate and so complied with the message's request by sending over several thousand employees' W-2 forms.
A type of wage and tax statement, W-2 forms contain all types of sensitive details about an individual, including their income information, Social Security Number, and other data.
The company began notifying staff members about the incident three days after it occurred. But according to ZDNet, many victims didn't hear from the company until a week had passed. By that time, the scammers had already begun abusing the stolen information by filing fake federal and state tax returns on behalf of the employees and their loved ones.
Many of those affected by the breach feel Seagate was negligent in its ability to prevent and respond to the incident. That's why they've filed a complaint against the company and are asking Seagate to pay out damages and fees to victims nationwide.
As the suit (PDF) alleges:
"No one can know what else the cybercriminals will do with the employees' and third-party victims' personally identifiable information. However, the employees and third-party victims are now, and for the rest of their lives will be, at a heightened risk of identity theft. Many employees and third-party victims have already suffered out-of-pocket costs attempting to rectify fraudulent tax returns and engaging services to monitor and protect their identity and credit."
For its part, Seagate is attempting to get a judge to dismiss the lawsuit on the grounds that it should not be held responsible for the actions of third-party personnel, that is, the phishers.
If the company fails in its efforts, a jury will hear the trial later in 2016.
In today's world, it's important that companies invest in anti-phishing measures so that they can protect their employees' information and defend against a data breach. One of the most important ways they can do this is by conducting phishing simulations with their employees so that their entire workforce can successfully spot and avoid clicking on a scam.
Would your employees benefit from this type of training?