Data storage firm Seagate is facing legal action after a phishing scam apparently resulted in it turning over information about some of the company’s employees to scammers. A group of Seagate workers is suing the company after their personal information was allegedly given to hackers by a senior human resources representative.
In March 2016, the company’s human resources department received an email that was purportedly sent by Seagate CEO Stephen Luczo. The correspondence requested copies of employees’ 2015 W-2 tax forms, as well as other personal information, according to a report from Tech Spot.
Information pertaining to nearly 10,000 past and present employees was given to the scammers, including names, home addresses, Social Security numbers, and figures relating to personal income. The class-action lawsuit filed by staff affected by the breach claims that this information was “almost immediately” put to use, as the scammers filed fraudulent tax forms and pursued other kinds of identification theft.
It isn’t just the employees themselves who have been impacted by this phishing attack — information pertaining to family members or beneficiaries named in various documentation was also handed over.
“In order for the cyber criminals to have obtained employees’ spouses’ Social Security numbers, Seagate would have had to have disclosed more than just the Form W-2 data for employees,” reads the suit, which was filed in July through the Northern California District Court, according to a report from The Register. It’s thought that documentation related to insurance and retirement funds was also supplied to the scammers.
The lawsuit requests a trial by jury to determine whether the victims are entitled to damages and out-of-pocket expenses. The company maintains that while the event was “unforeseen” and “unfortunate,” the plaintiffs “must actually allege facts that show they are entitled to relief from Seagate.”
However, communication from the company’s CTO in the wake of the attack could work in the victims’ favor. On March 3, employees allegedly received an email which stated that the leak “was caused by human error and lack of vigilance, and could have been prevented.”