14 DAY TRIAL // A distrait Seagate staffer has carelessly emailed copies of W-2 tax forms for thousands of current and former Seagate employees to an online scammer, Brian Krebs reports.
The incident took place on March 1, 2016, when a Seagate employee received a spear-phishing email made to look like a legitimate internal company request, asking for W-2 tax forms for a large number of current and past employees.
The Seagate staff member complied with the demand, and replied to the email with the requested files, only to discover a short while after that he was duped.
As soon as Seagate found out about the incident, it informed authorities and started sending notification letters to all affected parties. One of the former Seagate employees that received such a letter forwarded it to former Washington Post reporter Brian Krebs, who made the incident public on his blog.
A company spokesperson told Mr. Krebs that W-2 forms for thousands of current and former employees have been exposed, but not more than 10,000.
Tax fraud has become extremely popular in the past year
W-2 tax forms are used to store information about an employee's wage and salary information, along with the amount of federal, state and other taxes withheld from paychecks. Along with these details, the form also contains the employee's Social Security Number (SSN), home address, and contact information.
All this data is more than a scammer would need to file fraudulent tax returns on the behalf of each victim.
Fraudulent tax returns have become the favorite method of siphoning cash from people that had their identity and financial information exposed. Only last year, in one single incident, the IRS reported that attackers accessed the IRS accounts of over 390,000 users, and tried to file fraudulent tax returns.
At the start of February 2016, someone also tried to generate E-filing PINs for 464,000 US taxpayers, succeeding in obtaining 101,000 PINs which could have been used in fraudulent tax returns.
Just last week, Snapchat also reported a similar incident in which an employee was fooled into revealing payroll information about some of its employees. The scammers sued the same spear-phishing trick, posing as the company's CEO and asking for employee details.
"Phishing scams are increasingly more sophisticated and convincing, and today’s news is a great example of how difficult it can be to avoid such targeted schemes. In this case, it appears that electronic digital rights management could have helped maintain data privacy," said Scott Gordon, COO at FinalCode, a file security company. "Using the proper controls for data access and encryption would ensure that the file owner – in this case Seagate – maintains control of the data, even after it was mistakenly sent. Certainly, the capability to remotely delete the files after they were sent would have been very useful too."