A Seagate employee was victimised by a phishing scam and unknowingly emailed the income tax data for current and some former company employees to an unauthorised third party making them all potentially vulnerable to potential income tax refund fraud.
Seagate told SCMagazine.com in a Monday email that it learned on 1 March that one of its staffers answered what turned out to be a fake email requesting the W-2 data for all current and former workers who were with the company at some point in 2015. Instead the bamboozled employee exposed thousands of people's personal data to potential fraudsters.
“Given the timing of the attack, it is almost certain the gang behind this is planning to commit income tax refund fraud just in time before the annual deadline,” Jerome Segura told SC in an email.
Seagate has contacted the Internal Revenue Service (IRS) and law enforcement regarding the breach. Company spokesman Eric DeRitis told SC in an email that the exact number of employees affected is only being shared with the police, but according to the website Macroaxis, Seagate has in excess of 52,000 employees worldwide. However, only US workers were involved in this incident.
“We immediately notified the IRS which is now actively investigating it along with federal law enforcement. The IRS has also informed us they have added extra scrutiny to our employees' accounts in order to prevent fraudulent tax returns from being processed,” Seagate said in a written statement.
Segura said he would not be surprised if Seagate employees were victimised multiple times due to this breach.
“It is also quite likely that the stolen data will be resold in the underground once the initial goal has been achieved. In fact, we can expect Seagate employees to become victimised more than once in the near future,” Segura said.
The company said so far none of the exposed data has been used for malicious purposes, but it has offered two years of credit fraud protection through Experian. Experian itself was struck with a data breach in 2015 in which it lost the information of more than 15 million T-Mobile customers.
Scott Gordon, Finalcode's COO, pointed out that if Seagate had protective measures the impact of the breach could have been greatly minimised.
“In this case, it appears that electronic digital rights management could have helped maintain data privacy,” he said. “Using the proper controls for data access and encryption would ensure that the file owner – in this case Seagate – maintains control of the data, even after it was mistakenly sent. Certainly, the capability to remotely delete the files after they were sent would have been very useful, too.”
Seagate said it is analysing the attack and will implement changes in procedures to prevent this from happening again.
The Seagate breach was the second in two weeks where hackers focused on grabbing financial information from a corporation. In late February Snapchat's payroll department was victimised by a similar attack.