Storage device manufacturer Seagate’s executives informed employees last week that their income tax data had been shared with an unknown outside party as the result of a targeted phishing attack. On March 1, a Seagate employee sent the data to an outside e-mail address after receiving an e-mail purportedly from Seagate’s CEO Stephen Luczo requesting 2015 W-2 data for current and former Seagate employees. The employee, believing the request to be real, forwarded the W-2 reporting data—exposing US employees of Seagate to potential tax fraud and identity theft.
Security reporter Brian Krebs reported the breach after learning of it from a Seagate employee who had been given written notification of the breach. The Seagate breach comes less than a week after Snapchat employees’ data was leaked in the same way. Last week, the New York Post broke news that Mansueto Ventures (the publishers of Inc. Magazine and Fast Company) also had payroll data stolen.
Seagate’s spokesperson Eric DeRitis confirmed the incident to Krebs. “On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former US-based employees was sent to an unauthorized third party in response to the phishing e-mail scam,” DeRitis said. “The information was sent by an employee who believed the phishing e-mail was a legitimate internal company request.” DeRitis told Krebs that “several thousand” employees were affected and that the company is working with federal law enforcement; employees will receive two years of credit protection from the company.