Sprouts Farmers Market is the latest corporation to fall victim to a W-2 phishing scam, with the company admitting an employee sent off the tax data for all its workers to an unknown person.
Sprouts, is a Phoenix, Ariz.-based supermarket chain with about 21,000 employees and 200 stores. The company said the employee received an email purportedly from a Sprouts senior executive asking for the 2015 W-2 statements of all Sprouts workers. The data was compiled and sent off after which the company realized the error.
Sprouts spokeswoman Donna Egan confirmed the breach with SCMagazine.com in an email Tuesday.
"Sprouts is working with the FBI and the IRS to investigate this crime and to determine the best ways to protect team member tax information. Anyone who received a W-2 form from Sprouts for 2015 may be impacted," she said.
Sprouts joins Seagate, Snapchat and several other high profile firms that have been hit with a similar attack.
Security executives all pointed out the difficulty of preventing socially-engineered phishing attacks, but at the same time agreed that companies must better educate staffers on security issues, while incorporating some basic changes that make it harder for the average payroll employee to make such a monumental mistake.
“The question to ask about the Sprouts data breach is why that payroll employee had on-demand access to so much sensitive information? If a payroll employee wants one W-2, then maybe you just let them have it. If that same employee wants all of them all at once, then there should be something that triggers to say this is a different sort of request that deserves more scrutiny,” said Jonathan Sander, vice president at Lieberman Software to SCMagazine.com in an email Tuesday.
Nathan Sorrentino, marketing program manager at STEALTHbits Technologies, said education is another building block in the wall needed to safeguard data.
“Until organizations become more proactive in training their employees to look for the signs of this now all-too-common phishing scam, the attacks will continue into the foreseeable future,” he told SCMagazine.com in an email.
There are also some immediate practical steps and technology that can be implemented to help correct for human error.
“As a best practice, personal identifiable information should never be transmitted in an un-encrypted format,” said Brad Bussie, director of product management at STEALTHbits Technologies.
Craig Young, computer security researcher at Tripwire, suggested companies try something old fashioned: Simply double check that the request is legitimate.
“In general, whenever a request is received to send sensitive personal information outside of regular business processes, it is always a good idea to validate the request through a separate channel such as via telephone,” he told SCMagazine.com today.