Seagate succumbs to phishing scam: customers should be safe, employees not so much
Companies seem to get compromised on a regular basis and, for the most part, it's security holes in their systems. But user error can also be blamed in some cases -- an errant click on an email attachment can unleash all matter of headaches for an IT department.
Such seems to be the case now with Seagate as reports are emerging of a loss of employee data that came via a phishing scam.
The problem arose when an employee at the company was swindled into releasing the W-2 tax documents on all current and past employees. Yes, that's really bad -- it means social security numbers, salaries and various other personal data. This allows the attackers to use the information to file fake tax returns with the IRS.
Security researcher Brian Krebs laments that "According to Seagate, the scam struck on March 1, about a week after KrebsOnSecurity warned readers to be on the lookout for email phishing scams directed at finance and HR personnel that spoof a letter from the organization’s CEO requesting all employee W-2 forms".
Krebs also received a chilling quote from Seagate spokesman Eric DeRitis -- "On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam. The information was sent by an employee who believed the phishing email was a legitimate internal company request".
Seagate has declined to comment on the number of people affected, but it has sent notices to all of them. The company is also offering a two year membership to Experian's ProtectMyID.
Security researcher Graham Cluley points out that this is "Hardly the most sophisticated attack in the world, but one that is remarkably effective". Perhaps IT departments need to mandate better training.