Hard drive manufacturer Seagate may face a lawsuit from its own employees for failing to protect their data.
The company was breached in early March this year when of Seagate's employees in human resources opened an email from someone pretending to be the CEO.
That email requested that employees' W-2 forms be sent over. The employee, thinking the person contacting the HR department was the boss of bosses, promptly sent them over.
With that, everyone who worked at Seagate in 2015 was known to the hackers. The employees' lawyers believe that number to be around 10,000.
At the time Seagate commented to tech news outlet, The Register, "at this point we have no information to suggest that employee data has been misused, but caution and vigilance are in order. We deeply regret this mistake and we offer our sincerest apologies to everyone affected."
The data, which included social security numbers, income figures, work and home addresses, was valuable not only to those who stole it, but to the employees who actually owned it.
In July, a number of employees of the company filed a class-action lawsuit against Seagate in the Northern California District Court.
According to the lawsuit, “almost immediately, the cyber-criminals exploited Seagate's wrongful actions”. Among other things, they filed tax returns in the names of those employees, using their social security numbers and in some cases the social security numbers of their spouses.
According to the lawsuit filed, this means that Seagate must have disclosed more than just the W-2s.
The lawsuit continues to say that the families of those employees will now forever be at heightened risk of identity theft. “Many Employees and Third Party Victims have already suffered out-of-pocket costs attempting to rectify fraudulent tax returns and engaging services to monitor and protect their identity and credit. Employees and Third-Party Victims will continue to suffer out-of-pocket costs in the future to protect and, if necessary, repair their credit and identity. “
Seagate maintains that the company cannot be held responsible for fraud carried out by third parties. However, the company's CFO has admitted in an email to staff that “this mistake was caused by human error and lack of vigilance, and could have been prevented.”
Seagate has applied for a motion to have the suit thrown out.
In cyber-security, this kind of attack is a growing problem. The practice of whaling, impersonating a senior figure within an organisation in order to squeeze information, leverage or money out of subordinates, has hit some big organisations for a lot of money. Late last year, Bitcoin processor, BitPay was conned out of over £1 million by someone pretending to be the company's CFO.
Typically an attacker will spend weeks or months learning about the internal workings of a targeted organisation before making the kill. Then, they'll craft an email account that looks as close as possible to one owned by a senior member of the organisation.
This scam works by the person in the right place being caught off guard. Peter Coogan, principal security response manager at Symantec told SCMagazineUK.com earlier this year that “the scammers then use a few simple tricks to try and avoid arousing suspicion. The emails often state how the CEO is travelling or is in a meeting and can't accept phone calls. Many of the emails have ‘sent from my iPad' appended, which could be included to reinforce that the sender is on the road or excuse the poor English in the message.”
This isn't the first time that the employees of a breached company have sued their employee either. As of April, 6000 Morrison's employees were in the process of suing the supermarket giant after one former employee published the details of nearly 100,000 employees on the internet.
In certain camps, it has been floated that civil law might be a way to discipline organisations into shaping up their security postures.
Last year, application security company Veracode carried out a survey with the New York Stock Exchange on how board members feel about the potential blowback from a breach.Talking to nearly 300 board members, the report found, among other things, that three out of five directors and executive officers expect an “increase in shareholder lawsuits as a result of heightened corporate cybersecurity liability”.