Hard drive manufacturer Seagate was sued by its own employees as the result of a successful CEO fraud attack where all the personal information of 10,000 existing and former employees were stolen in an online phishing scam. Seagate lawyers defend the company claiming that the organization is not responsible for data leaks and that the attack was unexpected. Really?
The confidential information includes social security numbers, salary details, and W-2 tax information: essentially all that is required to steal someone's identity. Seagate divulged that all this information was stolen through social engineering an employee in HR who sent all the information to the bad guys thinking the request was legit.
In April, a group of employees decided to sue Seagate with a class-action complaint. Here is the PDF with the lawsuit, from the US District Court of Northern California. Why did they decide to sue?
The data was almost immediately used to file fraudulent tax returns
Top Class Action said: "The class action claims that employees are already falling victim to identity theft from the private information leak. The complaint alleges that “Almost immediately, the cybercriminals exploited Seagate’s wrongful actions and filed fraudulent federal and state tax returns in the names of the Employees.” The complaint also notes that some of those fraudulent tax returns were filed as joint returns, meaning that the hackers also have at least the social security numbers of employees’ spouses.
"The Seagate employee data breach class action lawsuit asserts that the cyber-criminals “may continue to exploit the data themselves and/or sell the data in the so-called ‘dark markets,’” and that “the Employees and Third-Party Victims are now, and for the rest of their lives will be, at a heightened risk of identity theft.”
The case is scheduled to be heard September 22, 2016 and rest assured we will report on this when there is more news.
And we also strongly recommend to phish your own users to prevent these types of very expensive snafus. If you're wondering how many people in your organization are susceptible to phishing, here is a free test: