A Seagate employee was victimized by a phishing scam and unknowingly emailed the income tax data for current and some former company employees to an unauthorized third party making them all potentially vulnerable to potential income tax refund fraud.
Seagate told SCMagazine.com in a Monday email that it learned on March 1 that one of its staffers answered what turned out to be a fake email requesting the W-2 data for all current and former workers who were with the company at some point in 2015. Instead of helping out a company executive, the bamboozled employee exposed thousands of people's personal data to potential fraudsters.
“Given the timing of the attack, it is almost certain the gang behind this is planning to commit income tax refund fraud just in time before the annual deadline,” Jerome Segura told SCMagazine.com Monday in an email.
Seagate has contacted the Internal Revenue Service (IRS) and law enforcement regarding the breach. Company spokesman Eric DeRitis told SCMagazine.com in an email that the exact number of employees affected is only being shared with the police, but according to the website Macroaxis, Seagate has in excess of 52,000 employees worldwide. However, only U.S. workers were involved in this incident.
“We immediately notified the IRS which is now actively investigating it along with federal law enforcement. The IRS has also informed us they have added extra scrutiny to our employees' accounts in order to prevent fraudulent tax returns from being processed,” Seagate said in a written statement.
Segura said he would not be surprised if Seagate employees would be victimized multiple times due to this breach.
“It is also quite likely that the stolen data will be resold in the underground once the initial goal has been achieved. In fact, we can expect Seagate employees to become victimized more than once in the near future,” Segura said.
The company said so far none of the exposed data has been used for malicious purposes, but it has offered two years of credit fraud protection through Experian. Experian itself was struck with a data breach in 2015 with the information from more than 15 million T-Mobile customers that Experian had on file being taken.
Scott Gordon, Finalcode's COO, pointed out that if Seagate had protective measures the impact of the breach could be greatly minimized.
“In this case, it appears that electronic digital rights management could have helped maintain data privacy,” he said, “Using the proper controls for data access and encryption would ensure that the file owner – in this case Seagate –maintains control of the data, even after it was mistakenly sent. Certainly, the capability to remotely delete the files after they were sent would have been very useful too.”
Seagate said it is analyzing the attack and will implement changes in procedures to prevent this from happening again.
The Seagate breach was the second in two weeks where hackers focused on grabbing financial information from a corporation. In late February Snapchat's payroll department was victimized by a similar attack.